In the HTTP CORS spec, what's the difference between Allow-Headers and Expose-Headers?

Question

In the HTTP CORS spec, what's the difference between 5.6 Access-Control-Allow-Headers and 5.3 Access-Control-Expose-Headers?

[Allow-Headers] header indicates, as part of the response to a preflight request, which header field names can be used during the actual request

UPDATE: I was hoping someone would tell me one of these headers is sent for every request (pre-flight)... However, there is yet another header that is used for that: 5.9 Access-Control-Request-Headers

[Request-Headers] header indicates which headers will be used in the actual request as part of the preflight request

BTW, I love how they (W3C) carefully worded 5.9 so that the request header can have a field called _Something_ Request Header.

I'm completely lost in the spec, is there a diagram where I can understand this process better?

Answer 1

Just to clarify a comment above that these are badly named, these are not badly named.

They serve distinct functions.

• Access-control-allow-headers specifies which headers are allowed to change the state of the server.
• While Access-control-expose-headers has a get method getResponseHeader() method that returns the value of a particular response header. During a CORS request, the getResponseHeader() method can only access simple response headers. To be able to access other headers, you need to specify it in here.

Answer 2

Access-Control-Allow-Headers

Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.

Access-Control-Expose-Headers

This header lets a server whitelist headers that browsers are allowed to access. For example:

Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS