getRequestHeader isn't exposing headers allowed by server with Access-Control-Expose-Headers in pre-flight OPTIONS request

Not reproducible Issue #8433404


Luke V.
Aug 9, 2016
This issue is public.
Found in
  • Microsoft Edge
  • Internet Explorer
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

Create a cross domain XMLHttpRequest that causes IE 11 or Edge to make a pre-flight OPTIONS request to the server. The server response should include one or more Access-Control-Expose-Headers in the response header.

Example: Access-Control-Expose-Headers: X-Per-Page, X-Total-Entries

The actual CORS request fails with an error when attempting to add an allowed header:
SEC7123: Request header X-Per-Page was not present in the Access-Control-Allow-Headers list.

Please see this related stack-overflow question:


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Brad E.”

      Changed Status to “Not reproducible”

    • Sorry about the delay in getting back to you on this item of feedback.

      Unless I am mistaken, this has been fixed in later builds of Win 10, or at least Edge. I setup a repro URL in a sandbox here:

      If you look through the details in the network tab and the console you will notice this completes successfully in Edge. I’m not sure if our details different in how we are setting up these requests… But I surely see the headers with the parameters I am passing in the headers.

      Please note that IE feature bugs are no longer being worked on unless they are security related. Since we cannot repro in Edge in 14393.187 or higher, I will mark the item as not repro. If you find this in error please feel free to respond or reactivate.

      We look forward to more feedback from you going forward.

      All the best,
      The MS Edge Team

    You need to sign in to your Microsoft account to add a comment.

    Sign in