50

In the HTTP CORS spec, what's the difference between 5.6 Access-Control-Allow-Headers and 5.3 Access-Control-Expose-Headers?

[Allow-Headers] header indicates, as part of the response to a preflight request, which header field names can be used during the actual request

UPDATE: I was hoping someone would tell me one of these headers is sent for every request (pre-flight)... However, there is yet another header that is used for that: 5.9 Access-Control-Request-Headers

[Request-Headers] header indicates which headers will be used in the actual request as part of the preflight request

BTW, I love how they (W3C) carefully worded 5.9 so that the request header can have a field called _Something_ Request Header.

I'm completely lost in the spec, is there a diagram where I can understand this process better?

BogdanBiv
  • 1,485
  • 1
  • 16
  • 33

2 Answers2

40

Access-Control-Allow-Headers

Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.

Access-Control-Expose-Headers

This header lets a server whitelist headers that browsers are allowed to access. For example:

Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Udi Dahan
  • 452
  • 6
  • 10
  • 19
    So, basically these are badly named. The former is the request headers and the latter are the response headers made visible to scripts, right? – Luke Puplett Jan 21 '16 at 09:32
  • 1
    The [MDN documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers) states: _"The Access-Control-Allow-Headers response header is used in response to a preflight request to indicate which HTTP headers will be available via Access-Control-Expose-Headers when making the actual request."_ Is this incorrect? – BlueRaja - Danny Pflughoeft Nov 28 '17 at 12:57
  • 1
    What will happen if the request has a header that is not included in the `Access-Control-Allow-Headers`. For example, the server sends back "A, B, C", but the real request headers are "A, B, C, D". Will the browser refuse to send the real request? – Devs love ZenUML Jun 11 '20 at 07:42
18

Just to clarify a comment above that these are badly named, these are not badly named.

They serve distinct functions.

  • Access-control-allow-headers specifies which headers are allowed to change the state of the server.
  • While Access-control-expose-headers has a get method getResponseHeader() method that returns the value of a particular response header. During a CORS request, the getResponseHeader() method can only access simple response headers. To be able to access other headers, you need to specify it in here.
dance2die
  • 35,807
  • 39
  • 131
  • 194
HopeKing
  • 3,317
  • 7
  • 39
  • 62