Just a suggestion, since wildcard for Access-Control-Expose-Headers isn't widely supported yet, I would recommend filling Access-Control-Expose-Headers in the AllowAll configuration with the result of whatever is set in the wrapped handler minus any of the 6 default values and other Access-Control-* headers.