By default, the safelist includes the following response headers:
Additional headers can be added to the safelist using
Access-Control-Expose-Headers
.
Note:
Content-Length
was not part of the original set of safelisted response headers [ref
]
Examples
Extending the safelist
You can extend the list of CORS-safelisted response headers by using the
Access-Control-Expose-Headers
header:
Access-Control-Expose-Headers
:
X-Custom-Header, Content-Encoding