Recently I've been working on a project which handles downloads via an ajax request, and I wanted to read the filename from the response 'Content-Disposition' header. The server I was requesting the file from was running on a different IP address, so the server had been set up to accept CORS requests.

The request was working, and I was receiving the file, but I couldn't read the 'Content-Disposition' header in Javascript, even though it was appearing in Chrome's dev tools. It turns out CORS is very strict on what it allows Javascript access to - by default it can only read

Since 'Content-Disposition' is not in that list, I wasn't able to read it; the answer is setting the appropriate 'Access-Control-Expose-Headers' header on the server. I'm using Nginx, so the line I added looks like

add_header 'Access-Control-Expose-Headers' 'content-disposition'

(the name of the header is case-insensitive).

With the new header added, I can now read the header in Javascript. Huge success!