Unexpected Access-Control-Expose-Headers header behavior

[chrismeyers]

I noticed that responses always include the Access-Control-Expose-Headers header even if Options.ExposedHeaders is not set. Running one of the examples, such as examples/gorilla/server.go, produces the following response:

$ curl -i -X GET 'http://localhost:8080' --header 'Origin: http://localhost:3000'
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers:
Content-Type: application/json
Vary: Origin
Date: Thu, 28 Sep 2023 00:33:47 GMT
Content-Length: 18

{"hello": "world"}

Is this the correct behavior? I would expect Access-Control-Expose-Headers to be omitted if no Options.ExposedHeaders value is set. If this is indeed a bug, I have a solution and can submit a PR to fix this.

[rs]

I'm not sure how this could happen. Which version of the lib are you using?

[chrismeyers]

I'm using the latest version of this library (v1.10.0) and the latest version of Go (go version go1.21.1 darwin/arm64).

Looking into the code, this line is returning []string{""} instead of []string{} when Options.ExposedHeaders is omitted:

cors/cors.go

Line 218 in 20a76bd

c.exposedHeaders = []string{strings.Join(convert(options.ExposedHeaders, http.CanonicalHeaderKey), ", ")}