add Access-Control-Expose-Headers to CORS headers #634
Conversation
|
Hi there! Thank you for the contrib. But I have a question: does it really make sense to expose all the headers by default in such case? I never encounter any scenario where this has been required, my opinion might be biased so calling some friends on this (wdyt @Kocal @smnandre @nicolas-grekas @stof ?). Reminder: the CORS safe headers headers are exposed by default so this change would expose all the headers for CORS responses. |
|
@tucksaun If Symfony server stays for local development so yes this facility makes sense IMO the same way the server allows all http verbs and all origins. Some applications need to send custom headers to the client, and in this context javascript needs to access those response headers. In production hosted environments, it is not the same context. Symfony server should not be used. And if there is CORS need, granularity should be defined in exposed headers as well as http verbs and allowed origins for security reasons. |
Yes I agree but if you send custom headers, this is done in the backend code and as such one can control the CORS headers. The |
Backend code is not meant to deal with development environment. It is not part of the application nor the production environment unfortunately. 😞 I am working on an application where front and back are in the same domain. No CORS issue.
Indeed. True for static assets. |
|
I have no strong opinions on this, and I'm far from being a CORS expert, but since Symfony CLI should only be used for dev purpose, I think it's fine here (and so, even if the backend code could add the header too) |
Same way allowing HTTP clients to send cross-origin requests (using --allow-cors option), this PR allows scripts in the browser access custom headers sent by the server.
Custom headers are made available when server response contains
Access-Control-Expose-Headersheader.See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Expose-Headers