Refused to get unsafe header "Content-Range"
12,200
This appears to be a bug on our side. Only the last header value in the ResponseHeaders list is returned in the Access-Control-Expose-Headers header. We are working on rolling out a fix, but as a workaround, if you only need the Content-Range header (Content-Length is considered a simple header by the CORS spec and is added automatically), please try setting your CORS config to this:
<?xml version="1.0" ?>
<CorsConfig>
<Cors>
<Origins>
<Origin>*</Origin>
</Origins>
<Methods>
<Method>GET</Method>
<Method>HEAD</Method>
<Method>DELETE</Method>
</Methods>
<ResponseHeaders>
<ResponseHeader>Content-Range</ResponseHeader>
</ResponseHeaders>
<MaxAgeSec>1800</MaxAgeSec>
</Cors>
</CorsConfig>
UPDATE: This bug has been fixed.
Related videos on Youtube
02 : 19
Salesforce: Refused to set unsafe header "User-Agent": connection.js (2 Solutions!!)
01 : 24
jQuery : Cookie Header in PhoneGap: Refused to set unsafe header "Cookie"
01 : 52
Salesforce: Refused to set unsafe header when running javascript in Service Cloud
07 : 20
EmberScreencast 63 - Content Security Policy
01 : 05
Cross Domain Resource Sharing GET refused to get unsafe header etag from Response - JavaScript
01 : 33
Cookie Header in PhoneGap Refused to set unsafe header Cookie - jQuery
Author by
whadar
Updated on June 04, 2022Comments
-
whadar almost 2 years
For some reason I cannot access the response header of "Content-Range" anymore... Therefore it's impossible to determine the file size of a resource using XHR. I get error
Refused to get unsafe header "Content-Range"on Chrome in this line:var cr = this.getResponseHeader('Content-Range');Here's the CORS config:
<?xml version="1.0" ?> <CorsConfig> <Cors> <Origins> <Origin>*</Origin> </Origins> <Methods> <Method>GET</Method> <Method>HEAD</Method> <Method>DELETE</Method> </Methods> <ResponseHeaders> <ResponseHeader>x-goog-meta-foo1</ResponseHeader> <ResponseHeader>origin</ResponseHeader> <ResponseHeader>range</ResponseHeader> <ResponseHeader>Content-Range</ResponseHeader> <ResponseHeader>Content-Length</ResponseHeader> </ResponseHeaders> <MaxAgeSec>1800</MaxAgeSec> </Cors>CURL output:
$ curl -H "Origin: http://peer5.com" http://commondatastorage.googleapis.com/peer5_vod/wind2_orig.mp4 -s -D - -o /dev/null HTTP/1.1 200 OK Server: HTTP Upload Server Built on May 8 2013 16:51:19 (1368057079) Expires: Mon, 13 May 2013 09:47:40 GMT Date: Mon, 13 May 2013 08:47:40 GMT Cache-Control: public, max-age=3600, no-transform Last-Modified: Fri, 22 Mar 2013 17:09:47 GMT ETag: "755232ae8fef22bc7b4e9510a68a646e" x-goog-generation: 1363972188238000 x-goog-metageneration: 2 Content-Type: video/mp4 x-goog-hash: crc32c=pZmS2Q== x-goog-hash: md5=dVIyro/vIrx7TpUQpopkbg== Accept-Ranges: bytes Content-Length: 15535795 Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length, Date, Server, Transfer-Encoding-
jterrace almost 11 yearsCould you please post your CORS document configured for the bucket? You can run the gsutil getcors command to fetch it.
-
ShanEllis almost 11 yearsContent-Range is not one of the simple response headers. If you explicitly set Access-Control-Expose-Headers in the CORS to include it, I expect that it should work. -
whadar almost 11 years@BrandonYarbrough see the response header <ResponseHeader>Content-Range</ResponseHeader> in cors config
-
-
jterrace almost 11 years@whadar the bug is now fixed
-
amit about 9 yearsi am on canary and can still see this happening.
