2.1.10 Section 7.1.1, Handling a Response to a Cross-Origin Request
The specification states:
User agents must filter out all response headers other than those that are a simple response header or of which the field name is an ASCII case-insensitive match for one of the values of the Access-Control-Expose-Headers headers (if any), before exposing response headers to APIs defined in CORS API specifications. Note: The getResponseHeader() method of XMLHttpRequest will therefore not expose any header not indicated above.
IE8 Mode, IE9 Mode, and IE10 Mode (All Versions)