=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java	2014-12-30 22:48:33 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/CorsFilter.java	2014-12-30 22:50:26 +0000
@@ -83,7 +83,6 @@
 
         response.addHeader( CORS_ALLOW_CREDENTIALS, "true" );
         response.addHeader( CORS_ALLOW_ORIGIN, origin );
-        response.addHeader( CORS_EXPOSE_HEADERS, EXPOSED_HEADERS );
 
         if ( isPreflight( request ) )
         {
@@ -94,6 +93,10 @@
             response.setStatus( HttpServletResponse.SC_NO_CONTENT );
             return; // CORS preflight requires a 2xx status code, so we need to short-circuit the filter chain here
         }
+        else
+        {
+            response.addHeader( CORS_EXPOSE_HEADERS, EXPOSED_HEADERS );
+        }
 
         filterChain.doFilter( request, response );
     }