"access-control-expose-headers" should be enabled also for non-OPTIONS requests

[vpalmisano]

Adding this header prevents "Refused to get unsafe header "Content-Length"" errors.