However, maybe we should simply remove those and always require a
preflight request for a request with "custom" headers. Not sure.
I think it's useful to have a white-list of headers that should be safe
for GET requests without a pre-flight request. I would actually like to
expand the list a little. There was a thread on that a while ago, but it
seemed to have died without reaching a useful list.
I agree. Could we expand the whitelist of headers that do not require a
preflight check (in GETs):
Accept
Accept-Language
If-Modified-Since
From
Range
Kris
