access-control-allow-origin = #field-name / wildcard
where
field-name = token
token = 1*tchar
tchar contains *
.
It means "*" can be interpreted in two ways.
- Let headerNames be the result of extracting header list values given
Access-Control-Expose-Headersand response’s header list.- If headerNames is
*and request’s credentials mode is not "include", then set response’s CORS-exposed header-name list to all unique header names in response’s header list.- Otherwise, if headerNames is not null, failure, or
*, then set response’s CORS-exposed header-name list to headerNames.
This sounds like
*, the symbol should be interpreted in the first way.* but _headerName_ is not *, the symbol should be interpreted in the second way.I feel it confusing.
@annevk @tyoshino
It was introduced in #252
I didn't realize you can have a header name that is *. If that is true I'm not sure how to best address this. Perhaps we need to use a different syntax for it.
It seems that if we want to avoid conflicts we should do something with
(DQUOTE and "(),/:;<=>?@[]{}").
per https://tools.ietf.org/html/rfc7230#section-3.2.6.
It seems this is a problem for:
but not Access-Control-Allow-Origin (origins cannot be *).
@mnot thoughts? Can we decide not to care about a method or header name which is *?
That would mean that the mere presence of a header field which name is * would prevent any other headers to be exposed unless you used a comma.
e.g. Access-Control-Expose-Headers: *, A, B would expose 3 headers.
Right, the question is whether that's acceptable or whether we should find an alternative syntax? And if the latter, what syntax?
In pursuit of meaningful, easy-to-understand syntax, I'd discourage finding an alternative syntax.
* is generally used as the wildcard character for "anything"*-> * should be interpreted as "all headers"
(if necessary, explicitly disallow a header named nothing but *)
Regards,
a dev stumbling across this
Idea:
/ wildcard. It's not needed as it's already part of field-name.-Expose-Headers, -Allow-Methods, -Allow-Headers containing a wildcard as meaning ALL. For requests with credentials we interpret a wildcard as a literal, the name of a header or method.So basically * gets special meaning for requests without credentials, which is what we wanted, but we don't go out of our way to make using * impossible.
The only scenario where you'd be out of luck is if for requests without credentials you only want to expose or allow a header/method named *.
The only alternative is using separators, such as @ or <*>, but the downside of that would be that it's inconsistent with -Allow-Origin, which already uses *.
@yutakahirano are you okay with the idea? Would be nice to unblock this and get this feature implemented.
I'd rather leave it as-is; it makes it clear that when it's alone, the wildcard has special meaning (i.e., the # rule isn't applied to it). As per the issue above, we might remove * from field-names in the future.
https://github.com/whatwg/fetch/issues/548#issuecomment-324886102 sg
https://github.com/whatwg/fetch/issues/548#issuecomment-325527382 is also acceptable but I would like some notes or examples.
I'm okay with making * special when it's the single value, but I will change the grammar for now. If field-name indeed changes we'll just fix our grammar at that point.
I'll start working on a PR to clarify the behavior as I think that will clarify any outstanding questions better than discussing it here would.
So while working on the PR I realized what @mnot suggested doesn't work as we need *, Authorization to mean ALL, including Authorization, and * to mean ALL, excluding Authorization. That's the status quo for Access-Control-Allow-Headers.
As mentioned earlier the only limitation is that you cannot solely safelist a header name or method that is * for requests without credentials, but that's not a big deal as it's a rather questionable character for that purpose anyway.
Relevant Safari bug: https://bugs.webkit.org/show_bug.cgi?id=169194
Updated browser bugs:
Most helpful comment
In pursuit of meaningful, easy-to-understand syntax, I'd discourage finding an alternative syntax.
*is generally used as the wildcard character for "anything"*->
*should be interpreted as "all headers"(if necessary, explicitly disallow a header named nothing but
*)Regards,
a dev stumbling across this