Refering to Cross-Origin specification (http://www.w3.org/TR/access-control/), "6.1.3 Cross-Origin Request with Preflight", WebKit must allow access to response headers listed in "Access-Control-Allow-Headers" header. Example: 1. Create XMLHttpRequest 2. Add "X-Test" header with value "Request" to request. 3. WebKit make preflight request to server, and recive valid response with "Access-Control-Allow-Headers: X-Test", 4. WebKit makes normal request to server with "X-Test" header. 5. Server respond with valid request, and "X-Test: Reply" header 6. getResponseHeader("X-Test") throw Refused to get unsafe header "X-Test" Test page attached.
Created attachment 46604 [details] XMLHttpRequest cross-domain headers test
The Access-Control-Allow-Headers header only affects what can be put into the request, not what can be read from response. Per the CORS spec, there is no way to get an X-Test response header from a cross-origin request. Please see section 6.1: ------------------------------------------- User agents must filter out all response headers other than those that are an ASCII case-insensitive match for one of the header field names listed below, before exposing response headers to the APIs defined in the hosting specification: * Cache-Control * Content-Language * Content-Type * Expires * Last-Modified * Pragma E.g. the getResponseHeader() method of XMLHttpRequest will therefore not expose any header not listed above.