Allow "*" for Access-Control-Expose-Headers

rstoyanchev · rstoyanchev · commit 8c3a05bbcf21 · 2020-11-19T09:20:55.000Z
Closes gh-26113
diff --git a/spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java b/spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java
@@ -114,6 +114,8 @@
 	 * {@code Expires}, {@code Last-Modified}, or {@code Pragma},
 	 * <p>Exposed headers are listed in the {@code Access-Control-Expose-Headers}
 	 * response header of actual CORS requests.
+	 * <p>The special value {@code "*"} allows all headers to be exposed for
+	 * non-credentialed requests.
 	 * <p>By default no headers are listed as exposed.
 	 */
 	String[] exposedHeaders() default {};
diff --git a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
@@ -329,13 +329,11 @@ else if (this.allowedHeaders == DEFAULT_PERMIT_ALL) {
 	 * {@code Cache-Control}, {@code Content-Language}, {@code Content-Type},
 	 * {@code Expires}, {@code Last-Modified}, or {@code Pragma}) that an
 	 * actual response might have and can be exposed.
-	 * <p>Note that {@code "*"} is not a valid exposed header value.
+	 * <p>The special value {@code "*"} allows all headers to be exposed for
+	 * non-credentialed requests.
 	 * <p>By default this is not set.
 	 */
 	public void setExposedHeaders(@Nullable List<String> exposedHeaders) {
-		if (exposedHeaders != null && exposedHeaders.contains(ALL)) {
-			throw new IllegalArgumentException("'*' is not a valid exposed header value");
-		}
 		this.exposedHeaders = (exposedHeaders != null ? new ArrayList<>(exposedHeaders) : null);
 	}
 
@@ -351,12 +349,10 @@ public List<String> getExposedHeaders() {
 
 	/**
 	 * Add a response header to expose.
-	 * <p>Note that {@code "*"} is not a valid exposed header value.
+	 * <p>The special value {@code "*"} allows all headers to be exposed for
+	 * non-credentialed requests.
 	 */
 	public void addExposedHeader(String exposedHeader) {
-		if (ALL.equals(exposedHeader)) {
-			throw new IllegalArgumentException("'*' is not a valid exposed header value");
-		}
 		if (this.exposedHeaders == null) {
 			this.exposedHeaders = new ArrayList<>(4);
 		}
diff --git a/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java b/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
@@ -61,32 +61,19 @@ public void setValues() {
 		config.addAllowedOriginPattern("http://*.example.com");
 		config.addAllowedHeader("*");
 		config.addAllowedMethod("*");
-		config.addExposedHeader("header1");
-		config.addExposedHeader("header2");
+		config.addExposedHeader("*");
 		config.setAllowCredentials(true);
 		config.setMaxAge(123L);
 
 		assertThat(config.getAllowedOrigins()).containsExactly("*");
 		assertThat(config.getAllowedOriginPatterns()).containsExactly("http://*.example.com");
 		assertThat(config.getAllowedHeaders()).containsExactly("*");
 		assertThat(config.getAllowedMethods()).containsExactly("*");
-		assertThat(config.getExposedHeaders()).containsExactly("header1", "header2");
+		assertThat(config.getExposedHeaders()).containsExactly("*");
 		assertThat(config.getAllowCredentials()).isTrue();
 		assertThat(config.getMaxAge()).isEqualTo(new Long(123));
 	}
 
-	@Test
-	public void asteriskWildCardOnAddExposedHeader() {
-		assertThatIllegalArgumentException()
-				.isThrownBy(() -> new CorsConfiguration().addExposedHeader("*"));
-	}
-
-	@Test
-	public void asteriskWildCardOnSetExposedHeaders() {
-		assertThatIllegalArgumentException()
-				.isThrownBy(() -> new CorsConfiguration().setExposedHeaders(Collections.singletonList("*")));
-	}
-
 	@Test
 	public void combineWithNull() {
 		CorsConfiguration config = new CorsConfiguration();
@@ -133,26 +120,30 @@ public void combineWithDefaultPermitValues() {
 		assertThat(combinedConfig.getAllowedOrigins()).containsExactly("https://domain.com");
 		assertThat(combinedConfig.getAllowedHeaders()).containsExactly("header1");
 		assertThat(combinedConfig.getAllowedMethods()).containsExactly(HttpMethod.PUT.name());
+		assertThat(combinedConfig.getExposedHeaders()).isEmpty();
 
 		combinedConfig = other.combine(config);
 		assertThat(combinedConfig).isNotNull();
 		assertThat(combinedConfig.getAllowedOrigins()).containsExactly("https://domain.com");
 		assertThat(combinedConfig.getAllowedHeaders()).containsExactly("header1");
 		assertThat(combinedConfig.getAllowedMethods()).containsExactly(HttpMethod.PUT.name());
+		assertThat(combinedConfig.getExposedHeaders()).isEmpty();
 
 		combinedConfig = config.combine(new CorsConfiguration());
 		assertThat(config.getAllowedOrigins()).containsExactly("*");
 		assertThat(config.getAllowedHeaders()).containsExactly("*");
 		assertThat(combinedConfig).isNotNull();
 		assertThat(combinedConfig.getAllowedMethods())
 				.containsExactly(HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name());
+		assertThat(combinedConfig.getExposedHeaders()).isEmpty();
 
 		combinedConfig = new CorsConfiguration().combine(config);
 		assertThat(config.getAllowedOrigins()).containsExactly("*");
 		assertThat(config.getAllowedHeaders()).containsExactly("*");
 		assertThat(combinedConfig).isNotNull();
 		assertThat(combinedConfig.getAllowedMethods())
 				.containsExactly(HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name());
+		assertThat(combinedConfig.getExposedHeaders()).isEmpty();
 	}
 
 	@Test
@@ -196,6 +187,7 @@ public void combineWithAsteriskWildCard() {
 		CorsConfiguration config = new CorsConfiguration();
 		config.addAllowedOrigin("*");
 		config.addAllowedHeader("*");
+		config.addExposedHeader("*");
 		config.addAllowedMethod("*");
 		config.addAllowedOriginPattern("*");
 
@@ -204,21 +196,26 @@ public void combineWithAsteriskWildCard() {
 		other.addAllowedOriginPattern("http://*.company.com");
 		other.addAllowedHeader("header1");
 		other.addExposedHeader("header2");
+		other.addAllowedHeader("anotherHeader1");
+		other.addExposedHeader("anotherHeader2");
 		other.addAllowedMethod(HttpMethod.PUT.name());
 
 		CorsConfiguration combinedConfig = config.combine(other);
 		assertThat(combinedConfig).isNotNull();
 		assertThat(combinedConfig.getAllowedOrigins()).containsExactly("*");
 		assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly("*");
 		assertThat(combinedConfig.getAllowedHeaders()).containsExactly("*");
+		assertThat(combinedConfig.getExposedHeaders()).containsExactly("*");
 		assertThat(combinedConfig.getAllowedMethods()).containsExactly("*");
 
 		combinedConfig = other.combine(config);
 		assertThat(combinedConfig).isNotNull();
 		assertThat(combinedConfig.getAllowedOrigins()).containsExactly("*");
 		assertThat(combinedConfig.getAllowedOriginPatterns()).containsExactly("*");
 		assertThat(combinedConfig.getAllowedHeaders()).containsExactly("*");
+		assertThat(combinedConfig.getExposedHeaders()).containsExactly("*");
 		assertThat(combinedConfig.getAllowedMethods()).containsExactly("*");
+		assertThat(combinedConfig.getAllowedHeaders()).containsExactly("*");
 	}
 
 	@Test  // SPR-14792
diff --git a/spring-webflux/src/main/java/org/springframework/web/reactive/config/CorsRegistration.java b/spring-webflux/src/main/java/org/springframework/web/reactive/config/CorsRegistration.java
@@ -98,7 +98,8 @@ public CorsRegistration allowedHeaders(String... headers) {
 	 * {@code Cache-Control}, {@code Content-Language}, {@code Content-Type},
 	 * {@code Expires}, {@code Last-Modified}, or {@code Pragma}, that an
 	 * actual response might have and can be exposed.
-	 * <p>Note that {@code "*"} is not supported on this property.
+	 * <p>The special value {@code "*"} allows all headers to be exposed for
+	 * non-credentialed requests.
 	 * <p>By default this is not set.
 	 */
 	public CorsRegistration exposedHeaders(String... headers) {
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistration.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistration.java
@@ -99,7 +99,8 @@ public CorsRegistration allowedHeaders(String... headers) {
 	 * {@code Cache-Control}, {@code Content-Language}, {@code Content-Type},
 	 * {@code Expires}, {@code Last-Modified}, or {@code Pragma}, that an
 	 * actual response might have and can be exposed.
-	 * <p>Note that {@code "*"} is not supported on this property.
+	 * <p>The special value {@code "*"} allows all headers to be exposed for
+	 * non-credentialed requests.
 	 * <p>By default this is not set.
 	 */
 	public CorsRegistration exposedHeaders(String... headers) {
diff --git a/spring-webmvc/src/main/resources/org/springframework/web/servlet/config/spring-mvc.xsd b/spring-webmvc/src/main/resources/org/springframework/web/servlet/config/spring-mvc.xsd
@@ -1400,6 +1400,7 @@
 	Comma-separated list of response headers other than simple headers (i.e.
 	Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma) that an
 	actual response might have and can be exposed.
+	The special value "*" allows all headers to be exposed for non-credentialed requests.
 	Empty by default.
 								]]></xsd:documentation>
 							</xsd:annotation>
