The response headers I see in Chrome Dev tools don't match the ones that Angular 2 is showing in the Chrome console.
Only the Content-Type header is showing up after having executed:
this.http.get(tempUrl).map(res=>{
console.log("csrf received");
console.log(res);
})
Only a certain list of "safe" headers are exposed by default (to Javascript). This is for security reasons. This list is as follows
In order to expose other headers, the server should send the access control header Access-Control-Expose-Headers
, listing all the headers it wants to expose.
Access-Control-Expose-Headers: Content-Length, X-CSRF-Token