Many blog postings out on the web today say that with a WebAPI 2.0 project and OWIN, enabling CORS is easy.
However, I've never seen an
Access-Control-Expose-Headers returned from my API, either in a response to a GET or an OPTIONS preflight.
I've altered my
UseCors setup code to explicitly set a list of header names to expose in the CORS policy.
I haven't the CORS knowledge to assert that
Microsoft.Owin.Cors package is broken, though I have a hunch that it is and that blogger's are only testing primitive APIs.