How do I fetch all headers in Javascript?

Question

Quick and dirty experiment:

function fetchHead(url) {
    var request = new XMLHttpRequest();
    request.onreadystatechange = function () {
        if (request.readyState === XMLHttpRequest.DONE) {
            console.log(request.getAllResponseHeaders())
        }
    }

    request.open('HEAD', url, true)
    request.send(null)
}

It only shows three headers: ["cache-control", "content-type", "expires"]. But there are a dozen headers in the actual response, as seen in the Network Inspector in the Development Toolbar.

Is there any (other) way to get all headers in Javascript? Is it possible (at all) to read a custom response header from within Javascript?

PS - The response does have Access-Control-Allow-Origin: *. Somehow the browsers does seem to strip out a lot of the headers though.

which browser are you using?

Kaelan Mikowicz
– Kaelan Mikowicz

2020-04-03 00:47:29 +00:00
Commented Apr 3, 2020 at 0:47 — Kaelan Mikowicz
– Kaelan Mikowicz, Commented Apr 3, 2020 at 0:47
@klanmiko Google Chrome 83

Redsandro
– Redsandro

2020-04-03 18:16:34 +00:00
Commented Apr 3, 2020 at 18:16 — Redsandro
– Redsandro, Commented Apr 3, 2020 at 18:16

Redsandro · Accepted Answer · 2020-04-03 18:21:57Z

2

For security reasons browsers restrict access to most HTTP Headers calls via XMLHttpRequest. Best reference for this is probably the Fetch standard.

These restricted list can be expanded by the server returning a Access-Control-Expose-Headers header telling the browser which headers are safe for JavaScript to have access to.

edited Apr 3, 2020 at 18:21

Redsandro

11.4k15 gold badges81 silver badges111 bronze badges

answered Apr 3, 2020 at 10:53

Barry Pollard

47k8 gold badges93 silver badges103 bronze badges

Sign up to request clarification or add additional context in comments.

3 Comments

Redsandro Over a year ago

So basically there is no way around it without using a proxy. That's anti-climactic, but clear.

Barry Pollard Over a year ago

Correct. Or otherwise you could ask for access to set-cookie headers for example and therefore get access to cookies your domain shouldn’t see. Just one example of the dangers of unrestricted access.

Barry Pollard Over a year ago

And thanks for the correction. You are correct - been a while since I looked at this!!

Kaelan Mikowicz · Accepted Answer · 2020-04-03 00:45:44Z

0

I can't reproduce this. MDN says that all headers will be returned in lowercase.

answered Apr 3, 2020 at 0:45

Kaelan Mikowicz

3452 silver badges12 bronze badges

Collectives™ on Stack Overflow

How do I fetch all headers in Javascript?

2 Answers 2

3 Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

3 Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related