Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Access-Control-Expose-Headers #15

Closed
ix-xerri opened this issue Feb 17, 2014 · 4 comments
Closed

Access-Control-Expose-Headers #15

ix-xerri opened this issue Feb 17, 2014 · 4 comments
Assignees

Comments

@ix-xerri
Copy link

Would just like to double check this issue. In my use case I have a CSRF token in the headers. Now to have that token accessible by the client then I need to use 'Access-Control-Expose-Headers'. This middle ware does not offer the functionality to add that header, correct?

@troygoode
Copy link
Member

Hi @ix-xerri you're right, that isn't currently supported. I haven't seen this header before, but I'll take a look at implementing it soon.

http://www.w3.org/TR/cors/#access-control-expose-headers-response-header

@troygoode troygoode self-assigned this Feb 18, 2014
@ix-xerri
Copy link
Author

Express examples usually show CSRF tokens inside some jade template. I include it in the response header and have the client store it in memory so that the next request would contain the CSRF token. To be able to access the header of a CORS response via javascript you need Access-Control-Expose-Headers
Thanks

@troygoode
Copy link
Member

Just received another bug report about this (copy-pasta'd below). Will get this fixed in the next couple of days.


Hey, I just thought I would drop you a note. I might have a minor bug fix, but I'm not sure if it strictly relates to CORS. Chrome has been giving me errors for a while - refusing to get unsafe headers. I believe the solution is: Access-Control-Expose-Headers. To make Chrome happy, I did the following:

Config:

var corsOptions = {
    exposeHeaders : 'Content-Range, X-Content-Range'
};
app.use(cors(corsOptions));

New Method

function configureExposeHeaders(options, req) {
  var headers = options.exposeHeaders;

  if (!headers) {
    return null;
  } else if (headers.join) {
    // .headers is an array, so turn it into a string
    headers = headers.join(',');
  }

  if (headers && headers.length) {
    return {
      key : 'Access-Control-Expose-Headers',
      value : headers
    };
  }
  return null;
}

Added it into the (req.method === 'OPTIONS')'s ELSE block.

(i.e. it fires every other time)

 headers.push(configureExposeHeaders(options, req));

@troygoode
Copy link
Member

Fixed and pushed to npm as version 2.2.0.

Set the exposedHeaders property of the options passed into the cors middleware to use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants