fix: expose x-amz-storage-class in CORS response headers

s3api/controllers/cors_default_origin_test.go

@@ -55,8 +55,8 @@ func TestApplyBucketCORS_FallbackOrigin_NoBucketCors_NoRequestOrigin(t *testing.
 	if got := resp.Header.Get("Access-Control-Allow-Origin"); got != origin {
 		t.Fatalf("expected Access-Control-Allow-Origin to be set to fallback, got %q", got)
 	}
-	if got := resp.Header.Get("Access-Control-Expose-Headers"); got != "ETag" {
-		t.Fatalf("expected Access-Control-Expose-Headers to include ETag, got %q", got)
+	if got := resp.Header.Get("Access-Control-Expose-Headers"); got != "ETag, x-amz-storage-class" {
+		t.Fatalf("expected Access-Control-Expose-Headers to include ETag and x-amz-storage-class, got %q", got)
 	}
 }
 

s3api/middlewares/apply-default-cors.go

@@ -22,7 +22,7 @@ import (
 
 func ensureExposeETag(ctx *fiber.Ctx) {
 	existing := strings.TrimSpace(string(ctx.Response().Header.Peek("Access-Control-Expose-Headers")))
-	defaults := []string{"ETag"}
+	defaults := []string{"ETag", "x-amz-storage-class"}
 	if existing == "" {
 		ctx.Response().Header.Add("Access-Control-Expose-Headers", strings.Join(defaults, ", "))
 		return

s3api/middlewares/apply-default-cors_test.go

@@ -43,8 +43,8 @@ func TestApplyDefaultCORS_AddsHeaderWhenOriginSet(t *testing.T) {
 	if got := resp.Header.Get("Access-Control-Allow-Origin"); got != origin {
 		t.Fatalf("expected fallback origin header, got %q", got)
 	}
-	if got := resp.Header.Get("Access-Control-Expose-Headers"); got != "ETag" {
-		t.Fatalf("expected expose headers to include ETag, got %q", got)
+	if got := resp.Header.Get("Access-Control-Expose-Headers"); got != "ETag, x-amz-storage-class" {
+		t.Fatalf("expected expose headers to include ETag and x-amz-storage-class, got %q", got)
 	}
 }