0

I ran into an issue in which I could not get the value in my response header from a cross origin request. I figured out the answer, which was to configure my server to expose the header i needed (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers).

My question is why do I need to do that in order to have access to it in scripts, if I can actually see the value in the response in the network tab?

VLAZ
  • 26,331
  • 9
  • 49
  • 67
solar apricot
  • 353
  • 2
  • 5
  • 24
  • 1
    You've conflated "The Owner of the Browser" (who has access to the dev tools) and "The Owner of the Website" (who wrote the JavaScript). They are different people who shouldn't generally be given the same level of access to the data sent to the browser by a different website. – Quentin Jan 09 '23 at 13:01
  • @Quentin The dupe target has little to do with this question... Voting to reopen, if only to find a more appropriate dupe target. – jub0bs Jan 09 '23 at 13:52
  • @jub0bs — The duplicate question is, essentially, "Why can't I access the content of this URL without a specific header in the response?". That's the same as this question. The accepted answer has a section "Why the Same Origin Policy only applies to JavaScript in a web page" which specifically explains why you can read content with the Network tab but not with JS (which is is the more narrow focus of what this question is about). – Quentin Jan 09 '23 at 14:09
  • 2
    @jub0bs if you have a more appropriate target, then feel free to suggest it. A gold badge holder can edit the dupe targets with it. Requiring 4-6 new votes to get the same thing is pretty ineffective. – VLAZ Jan 09 '23 at 14:17
  • @Quentin As I understand it, this question is not about accessing the content of a URL, but about the rationale for exposing response headers. – jub0bs Jan 09 '23 at 14:23
  • @jub0bs — The response headers are part of the response which **is** the content from the URL. – Quentin Jan 09 '23 at 14:24
  • @Quentin Your dupe target is very generic. The following question strikes me as a better dupe target: https://stackoverflow.com/questions/25673089/why-is-access-control-expose-headers-needed. Please reconsider. – jub0bs Jan 09 '23 at 14:26
  • 1
    @jub0bs — None of the answers there specifically address this question: "My question is why do I need to do that in order to have access to it in scripts, if I can actually see the value in the response in the network tab?" – Quentin Jan 09 '23 at 14:30

0 Answers0