Only simple response headers are exposed when using CORS. Simple response headers are defined here. ETag
is not a simple response headers. If you want to expose non-simple headers, you need to set the Access-Control-Expose-Headers
header, like so:
Access-Control-Expose-Headers: ETag
However, note that I’ve noticed bugs in Chrome, Safari and Firefox that prevent non-simple headers from being exposed correctly. This may be fixed by now, I’m not sure.
You shouldn’t need to do a preflight request, since preflight is only required for non-GET/POST http methods or non-simple request headers (and you are asking about response headers).