From ef355b28d47cc13663e60ee2d725d72bd3aac18a Mon Sep 17 00:00:00 2001
From: Jacob Bandes-Storch <jacob@bandes-stor.ch>
Date: Tue, 22 Oct 2024 10:52:40 -0700
Subject: [PATCH] Add Access-Control-Expose-Headers in --cors mode

By default, browsers only allow clients to read "CORS-safelisted response headers": https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_response_header

However, sometimes it is useful to read other headers that are not safelisted by default, such as `Accept-Ranges`. The `Access-Control-Expose-Headers` header allows controlling which headers are exposed to the client. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers

This change exposes all headers when `--cors` is used.
---
 source/utilities/server.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source/utilities/server.ts b/source/utilities/server.ts
index d7a22077..d338ee2d 100644
--- a/source/utilities/server.ts
+++ b/source/utilities/server.ts
@@ -67,6 +67,7 @@ export const startServer = async (
         response.setHeader('Access-Control-Allow-Headers', '*');
         response.setHeader('Access-Control-Allow-Credentials', 'true');
         response.setHeader('Access-Control-Allow-Private-Network', 'true');
+        response.setHeader('Access-Control-Expose-Headers', '*');
       }
       if (!args['--no-compression'])
         await compress(request as ExpressRequest, response as ExpressResponse);