On Sun, 25 Sep 2011 00:50:58 +0200, Conrad Irwin <conrad.ir...@gmail.com> wrote:
Is there a reason that Javascript cannot read the Access-Control-*
headers in CORS?

In particular I was trying to work around a bug in Firefox [1] that
means that .getAllResponseHeaders() doesn't get all response headers
for CORS requests. It seems that the nicest way to do this would just
be to iterate over the list of simple-response-headers, and the
contents of the Access-Control-Expose-Headers header.

Unfortunately, I'm not able to read the Access-Control-Expose-Headers
header, because it was not exposed in the
Access-Control-Expose-Headers header :).

In general it seems like a useful introspection mechanism — it would
allow applications to distinguish between "this header was not set"
and "I am not allowed to read this header". It also seems that it
would be useful to be able to read the Access-Control-Allow-Headers,
and Access-Control-Allow-Methods headers so that the javascript
application can adjust its feature set based on what the server will

One reason I can think of is that we do not want to give attackers more information than strictly necessary. Exposing "Access-Control-Expose-Headers" would be different from what getAllResponseHeaders() returns. Gecko should just fix its bug.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=608735

Anne van Kesteren

Reply via email to