IE 11 getAllResponseHeaders does not filter headers when CORS is enabled - by Sargis Koshkaryan

Status : 

 


ID 837235 Comments
Status Active Workarounds
Type Bug Repros 0
Opened 3/20/2014 3:59:36 AM
Access Restriction Public

Description

I use IE 11 (v 11.0.9600.16521) and window 7 Enterprise edition.
I have a rest web service and browser based client and I enabed cross domain requests. In client side getAllReponses return list of all headers (including headers that I added to response in my server side application), but according to W3C Recommendations (16 January 2014) about Cross-Origin Resource Sharing <<User agents must filter out all response headers other than those that are a simple response header or of which the field name is an ASCII case-insensitive match for one of the values of the Access-Control-Expose-Headers headers (if any), before exposing response headers to APIs defined in CORS API specifications.>>
Simple response headers are the following:
1. Cache-Control
2. Content-Language
3. Content-Type
4. Expires
5. Last-Modified
6. Pragma
Chrome, Mozilla works fine in this case, but IE does not filter headers :( .
Sign in to post a comment.
Posted by Microsoft on 7/16/2014 at 8:26 AM
Thanks for the clarification. We will investigate this issue again.
Posted by EricLaw [ex-MSFT] on 7/15/2014 at 7:14 AM
This bug is unrelated to the "XHR ignores cache-control headers" bug. It's in a complete different area of the code. This bug presents a security issue.
Posted by Sargis Koshkaryan on 3/23/2014 at 10:22 AM
OK, thank you
Posted by Microsoft on 3/20/2014 at 6:31 AM
Hello Sargis Koshkaryan,
The issue you are reporting is very similar to Feedback #836581.
Please follow the status of your bug by clicking here!
https://connect.microsoft.com/IE/feedback/details/836581/ie11-xmlhttprequest-ignores-cache-control-headers

Best Regards,
The Internet Explorer Team
Posted by Mаx Shillby on 3/20/2014 at 5:50 AM
Hi Sargis.
I had actually posted a Connect report just very recently which includes an online demo that should be able to demonstrate this.
It has an input field for a source url, and displays the header results of the xhr response.
Do you have a particular link I could try out? I'd like to see. Thx.

https://connect.microsoft.com/IE/feedback/details/836581/ie11-xmlhttprequest-ignores-cache-control-headers