IE 11 getAllResponseHeaders does not filter headers when CORS is enabled - by Sargis Koshkaryan

Status : 

  Fixed<br /><br />
		This item has been fixed in the current or upcoming version of this product.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.

ID 837235 Comments
Status Closed Workarounds
Type Bug Repros 0
Opened 3/20/2014 3:59:36 AM
Access Restriction Public


I use IE 11 (v 11.0.9600.16521) and window 7 Enterprise edition.
I have a rest web service and browser based client and I enabed cross domain requests. In client side getAllReponses return list of all headers (including headers that I added to response in my server side application), but according to W3C Recommendations (16 January 2014) about Cross-Origin Resource Sharing <<User agents must filter out all response headers other than those that are a simple response header or of which the field name is an ASCII case-insensitive match for one of the values of the Access-Control-Expose-Headers headers (if any), before exposing response headers to APIs defined in CORS API specifications.>>
Simple response headers are the following:
1. Cache-Control
2. Content-Language
3. Content-Type
4. Expires
5. Last-Modified
6. Pragma
Chrome, Mozilla works fine in this case, but IE does not filter headers :( .
Sign in to post a comment.
Posted by Microsoft on 1/7/2016 at 12:29 PM
Thank you for the feedback. This issue appears to have been fixed in Microsoft Edge. We're not presently working on feature bugs in Internet Explorer outside of security-related issues.
Best Regards,
The Microsoft Edge Team
Posted by Adrian [MSFT] on 7/16/2014 at 8:26 AM
Thanks for the clarification. We will investigate this issue again.
Posted by EricLaw [ex-MSFT] on 7/15/2014 at 7:14 AM
This bug is unrelated to the "XHR ignores cache-control headers" bug. It's in a complete different area of the code. This bug presents a security issue.
Posted by Sargis Koshkaryan on 3/23/2014 at 10:22 AM
OK, thank you
Posted by Microsoft on 3/20/2014 at 6:31 AM
Hello Sargis Koshkaryan,
The issue you are reporting is very similar to Feedback #836581.
Please follow the status of your bug by clicking here!

Best Regards,
The Internet Explorer Team
Posted by Mаx Shillby on 3/20/2014 at 5:50 AM
Hi Sargis.
I had actually posted a Connect report just very recently which includes an online demo that should be able to demonstrate this.
It has an input field for a source url, and displays the header results of the xhr response.
Do you have a particular link I could try out? I'd like to see. Thx.