CODEWITHSUNDEEP
javaangularjsspring-bootcors
John
John

Reputation: 195

CORS hidden headers?

I was working on implementing spring security with hmac in my angular app when I noticed something that seems weird.

Could someone explain why I don't get "X-HMAC-CSRF","X-Secret","WWW-Authenticate" values in my console.log? 

console.log(JSON.stringify(response.headers()))
{"pragma":"no-cache","content-type":"application/json;charset=UTF-8","cache-
control":"no-cache, no-store, max-age=0, must-revalidate","expires":"0"}

Although I get them correctly in Network (F12), it's impossible to log them Some piece of code :

public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
public static final String X_SECRET = "X-Secret";
public static final String CSRF_CLAIM_HEADER = "X-HMAC-CSRF";

response.setHeader(X_SECRET, filteredUrl);
response.setHeader(WWW_AUTHENTICATE,HmacUtils.HMAC_SHA_256);
response.setHeader(CSRF_CLAIM_HEADER, csrfId);
response.addCookie(jwtCookie);

I have also add a cors Filter because the backend and the frontend are not on the same domain : 

@Slf4j
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CorsFilter implements Filter {

@PostConstruct
public void init() {
    log.info("Setup cors filter");
}

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletResponse response = (HttpServletResponse) res;
    //TODO ALLOW ALL ORIGIN ???
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "GET,POST,PUT,OPTIONS,DELETE");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "Origin, If-Modified-Since, Accept, Authorization, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, X-Handle-Errors-Generically");

    chain.doFilter(req, res);
  }

Upvotes: 3

Views: 1068

Answers (1)

sideshowbarker
sideshowbarker

Reputation: 88285

You need to also set a Access-Control-Expose-Headers response header on the server side to enable your frontend JavaScript code to access those headers—

response.setHeader("Access-Control-Expose-Headers",
    "X-HMAC-CSRF, X-Secret, WWW-Authenticate");

See https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Expose-Headers

Upvotes: 4

Related Questions