Ján,
I'm adding support for CORS requests to my server and I'm wondering if there any response headers that you need/want exposed. I'm not familiar with XMLHttpRequest so I don't know what you have access to normally. Non-simple response headers that I think might be useful:
Accept-Ranges Content-Encoding Content-Location DAV ETag Lock-Token Preference-Applied Schedule-Tag
Right now, your client works fine without Access-Control-Expose-Headers in the response, but I'm just trying to future-proof my code.