A-C-Expose-Headers: dont include the 7 CORS-safelisted response-headers

https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name

saves bytes over wire

lib/cors-anywhere.js

@@ -56,9 +56,15 @@ function withCORS(headers, request) {
     if (corsMaxAge) {
       headers['access-control-max-age'] = corsMaxAge;
     }
-  }
-  else {
-    headers['access-control-expose-headers'] = Object.keys(headers).join(',');
+  } else {
+    headers['access-control-expose-headers'] = Object.keys(headers).filter(
+      function(header){
+        if (header.match(/^cache-control|content-language|content-length|content-type|expires|last-modified|pragma$/)) {
+          return false;
+        } else {
+          return header;
+        }
+      }).join(',');
   }
 
   headers['access-control-allow-origin'] = '*';

test/setup.js

@@ -54,8 +54,16 @@ function echoheaders(origin) {
 
 nock('http://example.com')
   .persist()
+// replyContentLength() has no effect unless response body is JSON and will get
+// stringified, use defaultReplyHeaders() instead
+// https://github.com/nock/nock/blob/626021770b9b2fa52860c19f6b7a6033d64125e3/lib/interceptor.js#L176
+  .defaultReplyHeaders({
+    'Content-Length': function (req, res, body) {return body.length;},
+  })
   .get('/')
-  .reply(200, 'Response from example.com')
+  .reply(200, 'Response from example.com', {
+    'Content-Type': 'text/plain',
+  })
 
   .post('/echopost')
   .reply(200, function(uri, requestBody) {

test/test.js

@@ -103,6 +103,9 @@ describe('Basic functionality', function() {
       .get('/example.com')
       .expect('Access-Control-Allow-Origin', '*')
       .expect('x-request-url', 'http://example.com/')
+      .expect('Content-Length', '25')
+      .expectHeaderNotMatch('access-control-expose-headers', /content-length/)
+      .expectHeaderNotMatch('access-control-expose-headers', /content-type/)
       .expectHeaderNotMatch('access-control-expose-headers', /access-control-allow-origin/)
       .expect(200, 'Response from example.com', done);
   });