Why is Access-Control-Expose-Headers needed?

I was looking for the specific security reasons as to why this was added. It was kind of a WTH moment when I was implementing cors and could see all the headers being returned but I couldn't access them via javascript..

CORS is implemented in such a way that it does not break assumptions made in the pre-CORS, same-origin-only world.

In the pre-CORS world, a client could trigger a cross-origin request (for example, via a script tag), but it could not read the response headers.

In order to ensure that CORS doesn't break this assumption, the CORS spec requires the server to give explicit permissions for the client to read those headers (via the Access-Control-Expose-Headers header). This way, unauthorized CORS requests behave as they did in a pre-CORS world.

> Here is the reason why Access-Control-Expose-Headers is needed :

Access-Control-Expose-Headers (optional) - The XMLHttpRequest 2 object has a getResponseHeader() method that returns the value of a particular response header. During a CORS request, the getResponseHeader() method can only access simple response headers. Simple response headers are defined as follows:

• Cache-Control
• Content-Language
• Content-Type
• Expires
• Last-Modified
• Pragma

If you want clients to be able to access other headers, you have to use the Access-Control-Expose-Headers header. The value of this header is a comma-delimited list of response headers you want to expose to the client.

for more reference please dig into the link https://www.html5rocks.com/en/tutorials/cors/

Happy coding !!

This is a pretty good question. Looking through http://www.w3.org/TR/cors/#simple-response-header, it's not obvious why you would want to or need to do this.

The CORS spec puts a lot of weight into the idea that you have to have a pre-request handshake where the client asks for a type of connection and the server responds that it'll allow it - so this may just be another aspect of that.

By default content-length isn't a permitted header so I ran into the same issue (later on when I needed to access WebDAV and had to modify the allowable params).. CORS really doesn't make a lot of sense (to me) in the first place so it wouldn't surprise me if swaths of it that are capricious.