State that the wildcard exception also applies to Access-Control-Expo…

…se-Headers (#23522)
mdn · Jan 11, 2023 · ae1c732 · ae1c732
1 parent 29416f2
commit ae1c732
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/files/en-us/web/http/cors/index.md b/files/en-us/web/http/cors/index.md
@@ -356,6 +356,8 @@ When responding to a credentialed request:
 
 - The server **must not** specify the "`*`" wildcard for the `Access-Control-Allow-Methods` response-header value, but must instead specify an explicit list of method names; for example, `Access-Control-Allow-Methods: POST, GET`
 
+- The server **must not** specify the "`*`" wildcard for the `Access-Control-Expose-Headers` response-header value, but must instead specify an explicit list of header names; for example, `Access-Control-Expose-Headers: Content-Encoding, Kuma-Revision`
+
 If a request includes a credential (most commonly a `Cookie` header) and the response includes an `Access-Control-Allow-Origin: *` header (that is, with the wildcard), the browser will block access to the response, and report a CORS error in the devtools console.
 
 But if a request does include a credential (like the `Cookie` header) and the response includes an actual origin rather than the wildcard (like, for example, `Access-Control-Allow-Origin: https://example.com`), then the browser will allow access to the response from the specified origin.