'Refused to get unsafe header' CORS on old Safari


#1

When I try and access a custom header from a cross-site AJAX request on Safari 5.1.4 I get the following error:

Refused to get unsafe header "x-geoip_country_code"

On Safari 8.0.7 and all other browsers I can access the header without problems.

These are the headers the server is returning for the request:

Access-Control-Allow-Methods:GET,OPTIONS
Access-Control-Allow-Origin:*
Access-Control-Expose-Headers:X-GEOIP_COUNTRY_CODE
Cache-Control:no-cache
Connection:keep-alive
Content-Encoding:gzip
Content-Type:application/xml
Date:Sun, 10 Dec 2017 13:07:27 GMT
Etag:W/"5a2aa7cd-658"
Expires:Sat, 09 Dec 2017 14:55:09 GMT
Keep-Alive:timeout=10
Last-Modified:Fri, 08 Dec 2017 14:55:09 GMT
Server:nginx/1.13.3
Transfer-Encoding:Identity
Vary:Accept-Encoding
X-GEOIP_COUNTRY_CODE:US

I have tried changing the 'X-GEOIP_COUNTRY_CODE' part of the headers to all lower case and also adding the Access-Control-Allow-Headers header, both on preflight and the actual request. (It's just a simple GET so it shouldn't actually be pre-flighted and no pre-flight request shows on Safari's Network tab, though I didn't check the server logs).

Calling getAllResponseHeaders() from the XMLHttpRequest rather than checking for my specific header only shows the standard headers.

Anyone know what the problem is? Just a bug on old Safari?


#2

Are you able to successfully retrieve simple response headers, like Content-Type or Last-Modified?
If so, then the older browser may be restricted as to what types of information it can retrieve.

https://www.w3.org/TR/cors/#simple-response-header


#3

If I call getAllResponseHeaders() I get:

"Last-Modified: Fri, 08 Dec 2017 14:55:09 GMT

Content-Type: application/xml

Cache-Control: no-cache

Expires: Sat, 09 Dec 2017 14:55:09 GMT

"

I haven't tried setting Access-Control-Expose-Headers to any of the other standard headers to see if that works, e.g. try exposing Content-Encoding. If I get time tomorrow I will give that a try and report back.


#4

Tried exposing Content-Encoding and then testing in old Safari now, and that didn't work either. So it's not just access to custom headers that are being blocked.


#5

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.