'Refused to get unsafe header' CORS on old Safari

When I try and access a custom header from a cross-site AJAX request on Safari 5.1.4 I get the following error:

Refused to get unsafe header "x-geoip_country_code"

On Safari 8.0.7 and all other browsers I can access the header without problems.

These are the headers the server is returning for the request:

Date:Sun, 10 Dec 2017 13:07:27 GMT
Expires:Sat, 09 Dec 2017 14:55:09 GMT
Last-Modified:Fri, 08 Dec 2017 14:55:09 GMT

I have tried changing the ‘X-GEOIP_COUNTRY_CODE’ part of the headers to all lower case and also adding the Access-Control-Allow-Headers header, both on preflight and the actual request. (It’s just a simple GET so it shouldn’t actually be pre-flighted and no pre-flight request shows on Safari’s Network tab, though I didn’t check the server logs).

Calling getAllResponseHeaders() from the XMLHttpRequest rather than checking for my specific header only shows the standard headers.

Anyone know what the problem is? Just a bug on old Safari?

Are you able to successfully retrieve simple response headers, like Content-Type or Last-Modified?
If so, then the older browser may be restricted as to what types of information it can retrieve.


If I call getAllResponseHeaders() I get:

"Last-Modified: Fri, 08 Dec 2017 14:55:09 GMT

Content-Type: application/xml

Cache-Control: no-cache

Expires: Sat, 09 Dec 2017 14:55:09 GMT


I haven’t tried setting Access-Control-Expose-Headers to any of the other standard headers to see if that works, e.g. try exposing Content-Encoding. If I get time tomorrow I will give that a try and report back.

Tried exposing Content-Encoding and then testing in old Safari now, and that didn’t work either. So it’s not just access to custom headers that are being blocked.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.