I\'ve noticed that the results of and XMLHttpRequest.getResponseHeader()
don\'t always match the real headers returned (if the request is made in a regular mann
It's the Access-Control-Allow-Origin
header and the way it allows to prevent which headers are exposed to the browser. Docs at mozilla.
The current state of standardizing the XMLHttpRequest API does only restrict the access to the Set-Cookie and Set-Cookie2 header fields:
client.getAllResponseHeaders()
Returns all headers from the response, with the exception of those whose field name is
Set-Cookie
orSet-Cookie2
.
Any other header field should be returned.
But as you’re doing a cross-origin request, the browser needs to implement XMLHttpRequest Level 2 as the original XMLHttpRequest does only allow same-origin requests:
The XMLHttpRequest Level 2 specification enhances the XMLHttpRequest object with new features, such as cross-origin requests […]
There you can read that the “Cross-Origin Resource Sharing specification filters the headers that filters the headers that are exposed by getResponseHeader() for non same-origin requests.”. And that specification forbids access to any response header field other except the simple response header fields (i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma):
User agents must filter out all response headers other than those that are a simple response header […]
E.g. the
getResponseHeader()
method of XMLHttpRequest will therefore not expose any header not indicated above.