Top HTTP Headers Exposed to CORS Responses via Access-Control-Expose-Headers

By Default a CORS XHR request has the following headers available for inspection in a response:

http://www.w3.org/TR/cors/#simple-response-header

Any other header (like X-headers or cookie for example) is not accessible for a XHR request. For it to available you need the site you are requesting to explicitly set the header Access-Control-Expose-Headers and give it specific ‘case-insensitive’ headers.

For example if you want the content length to determine the size the following should be set

Access-Control-Expose-Headers: content-length

Now, I was curious to see what are the most common such values across the HTTP

select count(requestid) as ct, REGEXP_EXTRACT(LOWER(respOtherHeaders),r’access-control-expose-headers = ([\w-]+)’) ac,
FROM [httparchive:runs.latest_requests]
group by ac
having ac is NOT NULL
order by ct desc;

The following was the response which shows people are most interested in Data, LastModified and some specific ids