Restrictions of XMLHttpRequest's getResponseHeader()?
The current state of standardizing the XMLHttpRequest API does only restrict the access to the Set-Cookie and Set-Cookie2 header fields:
client.getAllResponseHeaders()
Returns all headers from the response, with the exception of those whose field name is
Set-CookieorSet-Cookie2.
Any other header field should be returned.
But as you’re doing a cross-origin request, the browser needs to implement XMLHttpRequest Level 2 as the original XMLHttpRequest does only allow same-origin requests:
The XMLHttpRequest Level 2 specification enhances the XMLHttpRequest object with new features, such as cross-origin requests […]
There you can read that the “Cross-Origin Resource Sharing specification filters the headers that filters the headers that are exposed by getResponseHeader() for non same-origin requests.”. And that specification forbids access to any response header field other except the simple response header fields (i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma):
User agents must filter out all response headers other than those that are a simple response header […]
E.g. the
getResponseHeader()method of XMLHttpRequest will therefore not expose any header not indicated above.
It's the Access-Control-Allow-Origin header and the way it allows to prevent which headers are exposed to the browser. Docs at mozilla.