nthsky

@tzssangglass @tokers I use '\*\*' not '*' recording to the document to expose all headers.(Sorry I may not have described it clearly before, the '\*\*' is rendered in bold) The...

I mean it's being treated as a normal value now. But I think it's expected to expose all headers when using '\*\*', just like the other options, for example: reproduce...

> The `Access-Control-Expose-Headers` response header allows a server to indicate which response headers should be made available to scripts running in the browser, in response to a cross-origin request. The...

backend code: ``` r.POST("/t", func(c *gin.Context) { c.Header("cool", "cooler") resp := make(gin.H) for k, v := range c.Request.Header { resp[k] = v } c.JSON(200, resp) }) ``` backend server has...

It's the cross domain problem and curl can not explain problem. You can try following code from origin other than 127.0.0.1 in the browser console ``` fetch("http://127.0.0.1:9080/hello").then(resp => console.log(Array.from(resp.headers.keys()))) ```...

> I can't find the explanation about `**` easily. Do you have any materials? https://apisix.apache.org/docs/apisix/plugins/cors exposed_headers > Headers in the response allowed when accessing a cross-origin resource. Use , to...

> Looks like this is not related to APISIX but the handling of CORS in the broswer. It's work cors plugin to do, isn't it? The official document above said...

> https://github.com/apache/apisix/blob/master/apisix/plugins/cors.lua#L167-L172 when allow-credentials is true, it is not allowed to set other field to `*`

> > > [https://github.com/apache/apisix/blob/master/apisix/plugins/cors.lua#L167-L172](https://github.com/apache/apisix/blob/master/apisix/plugins/cors.lua?rgh-link-date=2022-07-12T09%3A50%3A25Z#L167-L172) > > > > > > when allow-credentials is true, it is not allowed to set other field to `*` > > ok, I get it....

> > > > [https://github.com/apache/apisix/blob/master/apisix/plugins/cors.lua#L167-L172](https://github.com/apache/apisix/blob/master/apisix/plugins/cors.lua?rgh-link-date=2022-07-12T09%3A50%3A25Z#L167-L172) > > > > > > > > > when allow-credentials is true, it is not allowed to set other field to `*` > >...