Should the Access-Control-Expose-Headers header field be returned along with an entity in response to an 'actual' request?
Or should it only be returned in response to a CORS preflight request?
According to the flow chart on the following page, the answer is only in response to the actual request: http://www.html5rocks.com/en/tutorials/cors/#toc-cors-server-flowchart
The flowchart is such a good resource I wanted to repost it here in my own answer.
Image from: http://www.html5rocks.com/en/tutorials/cors/#toc-cors-server-flowchart