Etag header not returned from jQuery.ajax() cross-origin XHR

Question

Why is the Etag header not being returned by jqXHR.getAllResponseHeaders() in the following minimal example?

Run with: node etag-serv

Answer 1

The ETag header present in cross-origin responses will not be accessible to client-side code unless the server includes an Access-Control-Expose-Headers header in its response, with a value of "ETag". This is true of any "non-simple" response headers.

From the CORS spec:

7.1.1 Handling a Response to a Cross-Origin Request User agents must filter out all response headers other than those that are a simple response header or of which the field name is an ASCII case-insensitive match for one of the values of the Access-Control-Expose-Headers headers (if any), before exposing response headers to APIs defined in CORS API specifications.

Simple response headers are limited to:

1. Cache-Control
2. Content-Language
3. Content-Type
4. Expires
5. Last-Modified
6. Pragma

All other headers that the client needs to access in the response must be "exposed" via the response header I mentioned above.