On Mon, Jun 20, 2011 at 3:57 AM, Anne van Kesteren <ann...@opera.com> wrote: > On Mon, 20 Jun 2011 12:53:02 +0200, Jonas Sicking <jo...@sicking.cc> wrote: >> >> On Mon, Jun 20, 2011 at 3:22 AM, Anne van Kesteren <ann...@opera.com> >> wrote: >>> >>> Agreed. I can add that to CORS. I already added Last-Event-ID for that >>> reason, but somehow missed Cache-Control. >> >> Wait, we don't have to add any headers to the CORS spec just because >> implementations of various specs needs to send those without doing >> preflight. The list of "simple headers" only affects which headers the >> *page* can immediately set without a preflight being required, for >> example through features like XMLHttpRequest.setRequestHeader. >> >> Headers that the implementation adds doesn't need to be added to this >> list. For example the "Host" header is set by the browser in almost >> all situations, but it does not need to be added to the list of >> "simple headers". Indeed, adding in there would an out right bad idea. >> >> So I'm not convinced that the Last-Event-ID header needs to be in the >> list. > > We could add Host as authors cannot set that anyway. But what you say makes > sense. I will remove Last-Event-ID and add a note about how that list works.
One thing to keep in mind though is that in the case of XHR, the Content-Type header is often in direct control of the page, even through means other than setRequestHeader. For example by creating a Blob with a specific content type using the .slice method. / Jonas