In order for a JavaScript client to read custom headers, like X-PressGang-Version (which is critical to allowing the client to fail over), the Access-Control-Allow-Origin and Access-Control-Expose-Headers headers need to be set. Right now, Access-Control-Allow-Origin is set to *. This needs to be fixed to use the CORS filter.
Fixed the headers properly in 1.2-SNAPSHOT build 201310161728. The problem was caused by the way resteasy handles exceptions. When resteasy catches an exception it completely creates a new HTTP Response which means that any headers set by a filter upstream of the request will be lost. As such I've setup the exception mappers to copy the headers from the original response into the new error response.
Confirmed that HTTP error responses include the required headers.