API endpoints that have CORS headers, should also have Access-Control-Expose-Headers: Ratelimit-Remaining, ... so client can read rate limit header(s)
#3217
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
When creating a JS script script for a bookmarklet, I noticed that I wasn't able to read rate-limit headers. I learned that it's because the browser requires the server to explicitly allow reading all but a standard set of headers for security:
Describe the solution you'd like
In all places that
Access-Control-Allow-Origin: *is added to responses, we should also add this header:to allow browser-based clients to read rate limit headers.
Describe alternatives you've considered
Wait for 429 response code, then exponential back-off. Or similar.
The text was updated successfully, but these errors were encountered: