Add support for Access-Control-Expose-Headers and default CORS headers to CORS-safelisted headers

ben-z · ben-z · commit 8aa6a8f9036e · 2023-04-11T17:16:43.000Z
Similar to this (stale) PR: http-party#546 Resolves http-party#545 Usable for cruise-automation/webviz#247
diff --git a/bin/http-server b/bin/http-server
@@ -34,7 +34,8 @@ if (argv.h || argv.help) {
     '  -e --ext     Default file extension if none supplied [none]',
     '  -s --silent  Suppress log messages from output',
     '  --cors[=headers]   Enable CORS via the "Access-Control-Allow-Origin" header',
-    '                     Optionally provide CORS headers list separated by commas',
+    '                     Optionally provide CORS request/response headers list separated by commas',
+    '                     headers defaults to CORS-safelisted request/response headers',
     '  -o [path]    Open browser window after starting the server.',
     '               Optionally provide a URL path to open the browser window to.',
     '  -c           Cache time (max-age) in seconds [3600], e.g. -c10 for 10 seconds.',
diff --git a/lib/http-server.js b/lib/http-server.js
@@ -100,11 +100,20 @@ function HttpServer(options) {
 
   if (options.cors) {
     this.headers['Access-Control-Allow-Origin'] = '*';
-    this.headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Range';
+    // Default allowed headers to CORS-safelisted request headers:
+    // https://fetch.spec.whatwg.org/#cors-safelisted-request-header
+    this.headers['Access-Control-Allow-Headers'] = 'Accept, Accept-Language, Content-Language, Content-Type';
+    // Default exposed headers to CORS-safelisted response headers:
+    // https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name
+    this.headers['Access-Control-Expose-Headers'] = 'Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma';
     if (options.corsHeaders) {
       options.corsHeaders.split(/\s*,\s*/)
-        .forEach(function (h) { this.headers['Access-Control-Allow-Headers'] += ', ' + h; }, this);
+        .forEach(function (h) {
+          this.headers['Access-Control-Allow-Headers'] += ', ' + h;
+          this.headers['Access-Control-Expose-Headers'] += ', ' + h;
+        }, this);
     }
+    console.log('headers', this.headers);
     before.push(corser.create(options.corsHeaders ? {
       requestHeaders: this.headers['Access-Control-Allow-Headers'].split(/\s*,\s*/)
     } : null));
