From 3a374ce84ff226ec9539a7d953d9f80af119ef22 Mon Sep 17 00:00:00 2001
From: Danilo Reinert <daniloreinert@gmail.com>
Date: Tue, 30 Mar 2021 18:47:51 -0300
Subject: [PATCH] Expose "WWW-Authenticate" header to CORS requests

Digest auth endpoint is missing the "Access-Control-Expose-Headers: WWW-Authenticate" header in order to correctly support CORS requests. Without it, the browser doesn't allow the client to get the value of the WWW-Authenticate header.
---
 httpbin/core.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/httpbin/core.py b/httpbin/core.py
index 305c9882..a031b4fc 100644
--- a/httpbin/core.py
+++ b/httpbin/core.py
@@ -217,6 +217,7 @@ def before_request():
 def set_cors_headers(response):
     response.headers["Access-Control-Allow-Origin"] = request.headers.get("Origin", "*")
     response.headers["Access-Control-Allow-Credentials"] = "true"
+    response.headers["Access-Control-Expose-Headers"] = "WWW-Authenticate"
 
     if request.method == "OPTIONS":
         # Both of these headers are only used for the "preflight request"