CORS is implemented in such a way that it does not break assumptions made in the pre-CORS, same-origin-only world.
In the pre-CORS world, a client could trigger a cross-origin request (for example, via a script tag), but it could not read the response headers.
In order to ensure that CORS doesn’t break this assumption, the CORS spec requires the server to give explicit permissions for the client to read those headers (via the Access-Control-Expose-Headers
header). This way, unauthorized CORS requests behave as they did in a pre-CORS world.