61

A simple GET request with no custom headers. The response is returned as expected. The data in the body is accessible, but not the headers.

When I try to access the "etag" header, browsers raise an exception :

Refused to get unsafe header "etag"

Chrome, Safari and Firefox all behave the same. I didn't test it on IE.

What am I missing here?

Localist
  • 1,094
  • 1
  • 8
  • 14
  • UPDATE: Only the following headers are accessible: - Expires - Last-Modified - Content-Language - Cache-Control - Content-Type – Localist Apr 28 '11 at 19:00
  • If anyone wants to know when was this fixed, I've found the bugs in [webkit](https://bugs.webkit.org/show_bug.cgi?id=41210) and [chromium](https://code.google.com/p/chromium/issues/detail?id=87338&can=1&q=Access-Control-Expose-Headers&colspec=ID%20Pri%20M%20Iteration%20ReleaseBlock%20Cr%20Status%20Owner%20Summary%20OS%20Modified). – rvignacio Aug 06 '14 at 13:20

2 Answers2

98

Only simple response headers are exposed when using CORS. Simple response headers are defined here. ETag is not a simple response headers. If you want to expose non-simple headers, you need to set the Access-Control-Expose-Headers header, like so:

Access-Control-Expose-Headers: ETag

However, note that I've noticed bugs in Chrome, Safari and Firefox that prevent non-simple headers from being exposed correctly. This may be fixed by now, I'm not sure.

You shouldn't need to do a preflight request, since preflight is only required for non-GET/POST http methods or non-simple request headers (and you are asking about response headers).

monsur
  • 45,581
  • 16
  • 101
  • 95
  • 4
    I confirm the support for the Access-Control-Expose-Headers header is buggy. – Localist May 03 '11 at 18:06
  • 2
    I would love to know what makes Last-Modified simple and not ETag. Aren't they supposed to support the same purpose which is cache optimization? – Localist May 03 '11 at 18:07
  • 1
    You make a good point. I don't know the motivation behind it, but here is a thread that mentions it (I haven't read it yet): http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0038.html – monsur May 05 '11 at 02:30
  • 1
    I ran into this when designing a resumable upload protocol. 'Content-Length' is deemed an 'unsafe' header to get in response to a http "HEAD" request; what a load. Only the Safari nightlies seem to respect the 'Access-Control-Expose-Headers' header. Yay WWW. – Cyclone Jan 30 '12 at 18:50
  • Thanks. Its working for me. but when iam making a call into a wso2 api manager url, the same error repeat. Can you help me – Arun M R Nair Apr 17 '15 at 05:55
  • @Mohamed, "buggy"... meaning? – Pacerier Jan 26 '16 at 07:09
  • @Pacerier is this "buggy" for you in chrome it is for me... :S – mike james Mar 09 '16 at 14:37
  • I was getting the `refused to get unsafe header "content-disposition"` error message and adding 'content-disposition' to `Access-Control-Expose-Headers` on the API response solved my problem. Thank you very much. – MNN May 22 '20 at 00:24
2

Have you ever tried AJAX 2.0 (Cross domain sharing) is a methodology fairly recently brought out by W3C: http://www.w3.org/TR/XMLHttpRequest2/#ref-cors

Also there is another way of doing this, which is called JSON-P, it's like a JSON request, but you can use it for cross-domains: http://en.wikipedia.org/wiki/JSONP

Both can be very dangerous to the site owners if not setup correctly though. So do be careful when using it.

[PS] Not sure if this will help : http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

DarkMantis
  • 1,510
  • 5
  • 19
  • 40
  • 2
    Did you read the title of the question? It is supposed to BE CORS – mplungjan Apr 28 '11 at 18:08
  • Oops, I didn't really notice it if I'm honest. But still could use JSONP – DarkMantis Apr 28 '11 at 18:09
  • Sure, but it is interesting to know what is going on. Especially since JSONP sucks when it comes to error handling – mplungjan Apr 28 '11 at 18:11
  • yeah I can't disagree with you there. However, I'm not the greatest with CORS as I haven't worked with it too much. I thought I would float some reading material and some ideas their way though. – DarkMantis Apr 28 '11 at 18:16