Recently I've been working on a project which handles downloads via an ajax request, and I wanted to read the filename from the response 'Content-Disposition' header. The server I was requesting the file from was running on a different IP address, so the server had been set up to accept CORS requests.
Since 'Content-Disposition' is not in that list, I wasn't able to read it; the answer is setting the appropriate 'Access-Control-Expose-Headers' header on the server. I'm using Nginx, so the line I added looks like
add_header 'Access-Control-Expose-Headers' 'content-disposition'
(the name of the header is case-insensitive).