Luke Puplett
Reputation: 45135
CORS - When to return `Access-Control-Expose-Headers`
Should the Access-Control-Expose-Headers header field be returned along with an entity in response to an 'actual' request?
Or should it only be returned in response to a CORS preflight request?
Or both?
Upvotes: 5
Views: 1802
Answers (2)
Luke Puplett
Reputation: 45135
The flowchart is such a good resource I wanted to repost it here in my own answer.
Image from: http://www.html5rocks.com/en/tutorials/cors/#toc-cors-server-flowchart
Upvotes: 7
Dan Mork
Reputation: 1818
According to the flow chart on the following page, the answer is only in response to the actual request: http://www.html5rocks.com/en/tutorials/cors/#toc-cors-server-flowchart
Upvotes: 7
Related Questions
- How does the 'Access-Control-Allow-Origin' header work?
- How to set the Content-Type header for an HttpClient request?
- Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
- How to use java.net.URLConnection to fire and handle HTTP requests
- Request header field Access-Control-Allow-Headers is not allowed by itself in preflight response
- No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
- What is the difference between POST and PUT in HTTP?
- How are parameters sent in an HTTP POST request?
- Use of PUT vs PATCH methods in REST API real life scenarios
- Response to preflight request doesn't pass access control check - No 'Access-Control-Allow-Origin' header