CORS-safelisted response header

A CORS-safelisted response header is an HTTP header which has been safelisted so that it will not be filtered when responses are processed by CORS, since they're considered safe (as the headers listed in Access-Control-Expose-Headers). By default, the safelist includes the following response headers:

Content-Length was not part of the original set safelisted response headers [ref]

Examples

Extending the safelist

You can extend the list of CORS-safelisted response headers by using the Access-Control-Expose-Headers header:

Access-Control-Expose-Headers: X-Custom-Header, Content-Length