From f2515c831641eeb9cc3dbefc082a14706158581b Mon Sep 17 00:00:00 2001
From: griest024 <griest024@gmail.com>
Date: Wed, 7 Feb 2024 17:01:18 -0500
Subject: [PATCH] fix: `Access-Control-Expose-Headers` only set on preflight
 (#84)

`Access-Control-Expose-Headers` should be only the full request, NOT the preflight:

> An HTTP response to a CORS request that is not a CORS-preflight request can also include the following header

https://fetch.spec.whatwg.org/#http-access-control-expose-headers
---
 Response/HeaderProvider/CorsExposeHeadersProvider.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Response/HeaderProvider/CorsExposeHeadersProvider.php b/Response/HeaderProvider/CorsExposeHeadersProvider.php
index 0689794..ee00b83 100644
--- a/Response/HeaderProvider/CorsExposeHeadersProvider.php
+++ b/Response/HeaderProvider/CorsExposeHeadersProvider.php
@@ -57,6 +57,6 @@ public function getValue()
 
     public function canApply(): bool
     {
-        return $this->validator->isPreflightRequest() && $this->validator->originIsValid() && $this->getValue();
+        return !$this->validator->isPreflightRequest() && $this->validator->originIsValid() && $this->getValue();
     }
 }