fix(clients): remove invalid Access-Control-Expose-Headers request header

The x402-fetch, x402-axios, and Python (httpx, requests) clients were
setting Access-Control-Expose-Headers as a REQUEST header. This is
incorrect - Access-Control-Expose-Headers is a RESPONSE header that
only makes sense when set by the server, not the client.

Setting this header in a request has no effect on CORS behavior.
The server-side middlewares are responsible for setting this header
in their responses to allow browser clients to access the
X-PAYMENT-RESPONSE header.

Author: madisoncarter1234

python/x402/src/x402/clients/httpx.py

@@ -56,7 +56,6 @@ async def on_response(self, response: Response) -> Response:
             request = response.request
 
             request.headers["X-Payment"] = payment_header
-            request.headers["Access-Control-Expose-Headers"] = "X-Payment-Response"
 
             # Retry the request
             async with AsyncClient() as client:

python/x402/src/x402/clients/requests.py

@@ -66,7 +66,6 @@ def send(self, request, **kwargs):
             # Mark as retry and add payment header
             self._is_retry = True
             request.headers["X-Payment"] = payment_header
-            request.headers["Access-Control-Expose-Headers"] = "X-Payment-Response"
 
             retry_response = super().send(request, **kwargs)
 

python/x402/tests/clients/test_httpx.py

@@ -124,10 +124,6 @@ async def test_on_response_payment_flow(hooks, payment_requirements):
         assert mock_client.send.called
         retry_request = mock_client.send.call_args[0][0]
         assert retry_request.headers["X-Payment"] == mock_header
-        assert (
-            retry_request.headers["Access-Control-Expose-Headers"]
-            == "X-Payment-Response"
-        )
 
         # Verify the mocked methods were called with correct arguments
         hooks.client.select_payment_requirements.assert_called_once_with(

python/x402/tests/clients/test_requests.py

@@ -200,10 +200,6 @@ def mock_send_impl(req, **kwargs):
         retry_call = mock_send.call_args_list[1]
         retry_request = retry_call[0][0]
         assert retry_request.headers["X-Payment"] == mock_header
-        assert (
-            retry_request.headers["Access-Control-Expose-Headers"]
-            == "X-Payment-Response"
-        )
 
 
 def test_adapter_payment_error(adapter, payment_requirements):

typescript/packages/x402-axios/src/index.test.ts

@@ -141,7 +141,6 @@ describe("withPaymentInterceptor()", () => {
       ...error.config,
       headers: new AxiosHeaders({
         "X-PAYMENT": paymentHeader,
-        "Access-Control-Expose-Headers": "X-PAYMENT-RESPONSE",
       }),
       __is402Retry: true,
     });

typescript/packages/x402-axios/src/index.ts

@@ -99,7 +99,6 @@ export function withPaymentInterceptor(
         (originalConfig as { __is402Retry?: boolean }).__is402Retry = true;
 
         originalConfig.headers["X-PAYMENT"] = paymentHeader;
-        originalConfig.headers["Access-Control-Expose-Headers"] = "X-PAYMENT-RESPONSE";
 
         const secondResponse = await axiosClient.request(originalConfig);
         return secondResponse;

typescript/packages/x402-fetch/src/index.test.ts

@@ -102,7 +102,6 @@ describe("fetchWithPayment()", () => {
       headers: {
         "Content-Type": "application/json",
         "X-PAYMENT": paymentHeader,
-        "Access-Control-Expose-Headers": "X-PAYMENT-RESPONSE",
       },
       __is402Retry: true,
     } as RequestInitWithRetry);

typescript/packages/x402-fetch/src/index.ts

@@ -106,7 +106,6 @@ export function wrapFetchWithPayment(
       headers: {
         ...(init?.headers || {}),
         "X-PAYMENT": paymentHeader,
-        "Access-Control-Expose-Headers": "X-PAYMENT-RESPONSE",
       },
       __is402Retry: true,
     };