Regular Cross-Origin Request Processing

The web reverse proxy CORS policy includes the following entries related to regular cross-origin requests:

[cors-policy:<policy-name>]
request-match
allow-origin
allow-credentials
expose-header

Note: The request-match, allow-origin, and allow-credentials entries are also used when processing pre-flight requests.

The processing described in Process Common to Pre-Flight Check and Regular Cross-Origin Requests takes place before the processing described that follows.

Evaluating Access-Control-Expose-Headers

The web reverse proxy can indicate to clients which of the headers they are permitted to expose using the Access-Control-Expose-Headers header.

If the exposed headers entry (see expose-header) is not configured or invalid, no header is returned.

If a list of exposed headers is configured, all values are returned in a comma separated list in the Access-Control-Expose-Headers header.


Request Headers	Response from policy containing: allow-origin = https://test.ibm.com expose-header = X-IBM-HEADER expose-header = X-IBM-HEADER-2	Response from policy containing: allow-origin = https://test.ibm.com expose-header =
`... Origin: https://test.ibm.com ...`	`... Access-Control-Allow-Origin: https://test.ibm.com Access-Control-Expose-Headers: X-IBM-HEADER, X-IBM-HEADER-2 ...`	`... Access-Control-Allow-Origin: https://test.ibm.com ...`