cors - Why is Access-Control-Expose-Headers needed?

Question

I was looking for the specific security reasons as to why this was added. It was kind of a WTH moment when I was implementing cors and could see all the headers being returned but I couldn't access them via javascript..

Answer 1

CORS is implemented in such a way that it does not break assumptions made in the pre-CORS, same-origin-only world.

In the pre-CORS world, a client could trigger a cross-origin request (for example, via a script tag), but it could not read the response headers.

In order to ensure that CORS doesn't break this assumption, the CORS spec requires the server to give explicit permissions for the client to read those headers (via the Access-Control-Expose-Headers header). This way, unauthorized CORS requests behave as they did in a pre-CORS world.