Restrictions of XMLHttpRequest's getResponseHeader()?

The current state of standardizing the XMLHttpRequest API does only restrict the access to the Set-Cookie and Set-Cookie2 header fields:

client.getAllResponseHeaders()

Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2.

Any other header field should be returned.

But as you’re doing a cross-origin request, the browser needs to implement XMLHttpRequest Level 2 as the original XMLHttpRequest does only allow same-origin requests:

The XMLHttpRequest Level 2 specification enhances the XMLHttpRequest object with new features, such as cross-origin requests […]

There you can read that the “Cross-Origin Resource Sharing specification filters the headers that filters the headers that are exposed by getResponseHeader() for non same-origin requests.”. And that specification forbids access to any response header field other except the simple response header fields (i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma):

User agents must filter out all response headers other than those that are a simple response header […]

E.g. the getResponseHeader() method of XMLHttpRequest will therefore not expose any header not indicated above.


It's the Access-Control-Allow-Origin header and the way it allows to prevent which headers are exposed to the browser. Docs at mozilla.