Restrictions of XMLHttpRequest’s getResponseHeader()?

by

The current state of standardizing the XMLHttpRequest API does only restrict the access to the Set-Cookie and Set-Cookie2 header fields:

client.getAllResponseHeaders()

Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2.

Any other header field should be returned.

But as you’re doing a cross-origin request, the browser needs to implement XMLHttpRequest Level 2 as the original XMLHttpRequest does only allow same-origin requests:

The XMLHttpRequest Level 2 specification enhances the XMLHttpRequest object with new features, such as cross-origin requests […]

There you can read that the “Cross-Origin Resource Sharing specification filters the headers that filters the headers that are exposed by getResponseHeader() for non same-origin requests.”. And that specification forbids access to any response header field other except the simple response header fields (i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma):

User agents must filter out all response headers other than those that are a simple response header […]

E.g. the getResponseHeader() method of XMLHttpRequest will therefore not expose any header not indicated above.

More Related Contents:

  1. Method for streaming data from browser to server via HTTP
  2. How to intercept all http requests including form submits
  3. Firefox setting to enable cross domain Ajax request
  4. Page loaded over HTTPS but requested an insecure XMLHttpRequest endpoint
  5. Suppress Chrome ‘Failed to load resource’ messages in console
  6. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  7. AngularJS Error: Cross origin requests are only supported for protocol schemes: http, data, chrome-extension, https
  8. POST data in JSON format
  9. Setting query string using Fetch GET request
  10. get client time zone from browser [duplicate]
  11. Getting BLOB data from XHR request
  12. caching JavaScript files
  13. CORS request not working in Safari
  14. fetch – Missing boundary in multipart/form-data POST
  15. Show a progress bar for downloading files using XHR2/AJAX
  16. Fetch API vs XMLHttpRequest
  17. What’s to stop malicious code from spoofing the “Origin” header to exploit CORS?
  18. http basic authentication “log out”
  19. Cross-site XMLHttpRequest
  20. HTTP request from Angular sent as OPTIONS instead of POST
  21. XMLHttpRequest cannot load, No ‘Access-Control-Allow-Origin’ header is present on the requested resource [duplicate]
  22. get all the href attributes of a web site [duplicate]
  23. Cross-Origin XMLHttpRequest in chrome extensions
  24. Browser waits for ajax call to complete even after abort has been called (jQuery)
  25. responseXML always null
  26. how to schedule ajax calls every N seconds?
  27. How to handle ETIMEDOUT error?
  28. Same Origin Policy – AJAX & using Public APIs
  29. Intercept XMLHttpRequest and modify responseText
  30. Difference between res.send and res.json in Express.js

Leave a Comment