Do you have a test URL where we could see this issue in action?

Unfortunately, I don't have a specific URL for this. I tested using my local server, which has a REST API and uses Location for indicating the URL of a newly created resource. The server I'm working on isn't yet in production... I tried to find a similar public REST API but didn't have any luck... Maybe you can set up a local server that behaves like the one I'm working on. You only need to create a HTTP end-point that includes next headers for all GET responses: Access-Control-Allow-Origin:* Access-Control-Expose-Headers:Location Location: <some random value> Then, make a CORS call to this endpoint and try to access Location header. You can use jQuery's $.ajax or plain XmlHttpRequest in order to test this. I reported a similar bug to Firefox if it helps: https://bugzilla.mozilla.org/show_bug.cgi?id=817962

Created attachment 177987 [details] HTML file used for reproducing the issue I deployed a simple web app on Heroku (http://vast-retreat-1055.herokuapp.com). The response to a HTTP GET response is: HTTP Status 200 Headers: Content-Type:text/html Access-Control-Allow-Origin:* Access-Control-Expose-Headers:Location,Content-Length,Accept-Ranges Location:LocationHeaderValue Accept-Ranges:Accept-RangesHeaderValue In order to reproduce the bug open the attached corsBug.html in Safari 5.1.7, press "getLocationHeaderCORSCall()" button. 2 alerts will pop up : 1.The value returned by xhr.getResponseHeader("Location") 2.The value returned by xhr.getAllResponseHeaders() You can check the server response using a HTTP packets sniffer

Thank you! I cannot reproduce this in Safari 5.1.7 on Mac, but not in Safari 6. This means that this issue has been fixed in WebKit already, and it's up to browser vendors to ship an updated version.