Cross Domain Resource Sharing GET: ‘refused to get unsafe header “etag”‘ from Response

by

Only simple response headers are exposed when using CORS. Simple response headers are defined here. ETag is not a simple response headers. If you want to expose non-simple headers, you need to set the Access-Control-Expose-Headers header, like so:

Access-Control-Expose-Headers: ETag

However, note that I’ve noticed bugs in Chrome, Safari and Firefox that prevent non-simple headers from being exposed correctly. This may be fixed by now, I’m not sure.

You shouldn’t need to do a preflight request, since preflight is only required for non-GET/POST http methods or non-simple request headers (and you are asking about response headers).

More Related Contents:

  1. Origin is not allowed by Access-Control-Allow-Origin
  2. Response to preflight request doesn’t pass access control check
  3. jQuery XML error ‘ No ‘Access-Control-Allow-Origin’ header is present on the requested resource.’
  4. how to bypass Access-Control-Allow-Origin?
  5. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘…’ is therefore not allowed access
  6. JavaScript/jQuery to download file via POST with JSON data
  7. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  8. No ‘Access-Control-Allow-Origin’ header is present on the requested resource error
  9. Cross-Origin Read Blocking (CORB)
  10. Origin is not allowed by Access-Control-Allow-Origin
  11. CORS error on same domain?
  12. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  13. Understanding AJAX CORS and security considerations
  14. Why does the preflight OPTIONS request of an authenticated CORS request work in Chrome but not Firefox?
  15. AngularJS POST Fails: Response for preflight has invalid HTTP status code 404
  16. Is CORS a secure way to do cross-domain AJAX requests?
  17. How do you create a custom adapter for ember.js?
  18. Javascript – No ‘Access-Control-Allow-Origin’ header is present on the requested resource
  19. What’s to stop malicious code from spoofing the “Origin” header to exploit CORS?
  20. How to allow CORS in react.js?
  21. Cross-origin resource sharing (CORS) concept
  22. CORS cookie credentials from mobile WebView loaded locally with file://
  23. CORS error for application running from file:// scheme
  24. Solve Cross Origin Resource Sharing with Flask
  25. Add CORS header to an http request using Ajax
  26. How to Detect Cross Origin (CORS) Error vs. Other Types of Errors for XMLHttpRequest() in Javascript
  27. Microsoft Edge blocked cross-domain requests sent to IPs in same private network CIDR
  28. XMLHttpRequest: Network Error 0x80070005, Access is denied on Microsoft Edge (but not IE)
  29. CORS error with jquery
  30. CORS – Is it a client-side thing, a server-side thing, or a transport level thing? [duplicate]

Leave a Comment