Allow clients to read custom response headers

balderdashy · Mar 20, 2015 · 82b383f · 82b383f
1 parent 9b9837d
commit 82b383f
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/lib/hooks/cors/index.js b/lib/hooks/cors/index.js
@@ -23,6 +23,7 @@ module.exports = function(sails) {
 				credentials: true,
 				methods: 'GET, POST, PUT, DELETE, OPTIONS, HEAD',
 				headers: 'content-type',
+				exposeHeaders: '',
         securityLevel: 0,
 			}
 		},
@@ -180,6 +181,9 @@ module.exports = function(sails) {
         // Determine whether or not to allow cookies to be passed cross-origin
 				res.set('Access-Control-Allow-Credentials', !_.isUndefined(routeCorsConfig.credentials) ? routeCorsConfig.credentials : sails.config.cors.credentials);
 
+	// This header lets a server whitelist headers that browsers are allowed to access
+        res.set('Access-Control-Expose-Headers', !_.isUndefined(routeCorsConfig.exposeHeaders) ? routeCorsConfig.exposeHeaders : sails.config.cors.exposeHeaders);
+
         // Handle preflight requests
 				if (req.method == "OPTIONS") {
 					res.set('Access-Control-Allow-Methods', !_.isUndefined(routeCorsConfig.methods) ? routeCorsConfig.methods : sails.config.cors.methods);
@@ -204,6 +208,7 @@ module.exports = function(sails) {
 			res.set('Access-Control-Allow-Credentials', '');
 			res.set('Access-Control-Allow-Methods', '');
 			res.set('Access-Control-Allow-Headers', '');
+			res.set('Access-Control-Expose-Headers', '');
 		}
 
 		next();