Looking at the CORS specification versions, I assume that Safari 5.1 (and similar versions) used the webkit assembly, which did not include Access-Control-Expose-Headers header support. This was not added to the draft CORS specification until July 2010. Safari 5.1 was launched in July 2011. According to this message flow, Access-Control-Expose-Headers support was not added to webkit until after November 2011, which means Safari 5.1 definitely did not support it. According to this website / safari support, support was not added until mid-January 2012, which means that the earliest version to support this support will be 5.1.7 (but maybe even later).