CORS Headers

[diegossilveira]

When trying CORS support on Hapi, I came accross an implementation question. I supposed additionalExposedHeaders with override set to false works exposing extra headers, merging headers manually set. But it not works that way. The following code illustrates that:

var Hapi = require('hapi');

var server = new Hapi.Server();
server.connection({ port: 3001 });

server.route({
  method: 'GET',
  path: '/',
  handler: function (request, reply) {
    var response = reply('Hello, world!')
    response.header('access-control-expose-headers', 'x-custom-header');
    response.header('x-request-id', '12345');
    response.header('x-custom-header', '12345');
  },
  config: {
    cors: {
      override: false,
      additionalExposedHeaders: ['x-request-id']
    }
  }
});

server.start(function () {
  console.log('Server running at:', server.info.uri);
});

Shouldn't it return an access-control-expose-headers with both values x-custom-header and x-request-id? Sometimes the handler function sets an access-control-expose-headers dynamically and is desirable that additionalExposedHeaders values are still set.

I think the following algorithm is suitable when the override flag is set to false:

Is access-control-expose-headers is already set?

• YES merge values from additionalExposedHeaders
• NO set header with additionalExposedHeaders value

[nlf]

in my mind override: false means absolutely do not change the header, what you're describing could potentially be a new merge option or something though?

[diegossilveira]

@nlf You are right. I think a new merge option would solve that. I just think it could get a little bit confusing when override is used with merge.

override: true and merge: true | false -> Merge gets ignored, since override is set?

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.