AllowAll and Access-Control-Expose-Headers.

[yonderblue]

Just a suggestion, since wildcard for Access-Control-Expose-Headers isn't widely supported yet, I would recommend filling Access-Control-Expose-Headers in the AllowAll configuration with the result of whatever is set in the wrapped handler minus any of the 6 default values and other Access-Control-* headers.

[rs]

Would you be willing to submit a PR?

[yonderblue]

Sure thing, PR up.

[bweston92]

Any update on this? I think this is causing me some issues.

[jub0bs]

filling Access-Control-Expose-Headers [...] with the result of whatever is set in the wrapped handler [...]

I thought about this, and I don't think it can be done. In general, the wrapped handler may write to the response body; and after that, it would be too late for the middleware to include another response header (Access-Control-Expose-Headers).

One thing you can do is include the following header:

Access-Control-Expose-Headers: *

but that's only compatible with anonymous (as opposed to credentialed) access.

[jub0bs]

@rs Because Access-Control-Expose-Headers: * is now supported by all modern browsers for non-credentialed access, I think you could likely close this issue.