AJAX CORS – How to Get Response Header via Cross-Domain AJAX

ajaxcorscross-domainhttp-headers

I'm trying to read documentation and I must confess it is not an easy reading. I have no problem (after adding Access-Control-Allow-Origin header) to read responseText, but fail to get response header anywhere except Firefox.

So, my question is what is the right way to get response header, using cross-domain ajax?

I've tried to use (Access-Control-Expose-Headers), but, again, failed to read header.

Best Answer

So the way it should work is that you specify the headers you want the client to have access to in the Access-Control-Expose-Headers header. For example, if your server sets a Foo response header, and you want the client to be able to read it, your server should also send the following header:

Access-Control-Expose-Headers: Foo

On the client side, you can read all the response headers by calling xhr.getAllResponseHeaders(). This returns the response headers as a string, which you can then parse into an object using the following code: https://gist.github.com/706839

That is an explanation of how things should work. However, note that there is a bug in older browsers where the response headers can't be read on the client. See here for more details: CORS xmlhttprequest HEAD method

Related Solutions

Cross-Domain AJAX – X-Requested-With Header Not Sent

If you are using jQuery to do your ajax request, it will not send the header X-Requested-With (HTTP_X_REQUESTED_WITH) = XMLHttpRequest, because it is cross domain. But there are 2 ways to fix this and send the header:

Option 1) Manually set the header in the ajax call:

$.ajax({
     url: "http://your-url...",
 headers: {'X-Requested-With': 'XMLHttpRequest'}
});

Option 2) Tell jQuery not to use cross domain defaults, so it will keep the X-Requested-With header in the ajax request:

$.ajax({
  url: "http://your-url...",
 crossDomain: false
});

But with this, the server must allow those headers, then the server needs to print those headers:

print "Access-Control-Allow-Origin: *\n";
print "Access-Control-Allow-Headers: X-Requested-With, Content-Type\n";

The first line above will avoid the error "Origin is not allowed by Access-Control-Allow-Origin."
The second line will avoid the error "Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers."

JavaScript jQuery Ajax – Can’t Get Custom HTTP Header Response from getAllResponseHeaders

I wanna thank jbl for pointing me to the right SO question. I got it now...

So, OK... the answer. If you ever wanted to set your own HTTP Header information, and then fetch it using cross-domain Ajax, or something like that, here are some extra HTTP Header you should set on your server side, before sending the response text.

header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Methods: POST, GET");      
header('Custom-Header: Own-Data');
header('Access-Control-Expose-Headers: Custom-Header');

Example above uses PHP. But use your own language, what ever you use to set them.

When I asked this question, I had all of that except Access-Control-Expose-Headers. After putting that in, my Javascript Ajax can read the content of HTTP Header Custom-Header.

Best Answer

Related Solutions

Cross-Domain AJAX – X-Requested-With Header Not Sent

JavaScript jQuery Ajax – Can’t Get Custom HTTP Header Response from getAllResponseHeaders

Related Question