-Sam Weinig
The Access Control spec should state that the request headers, in
addition to the headers normally included in the request ("User-
Agent") should be sent for Simple Cross-Site Access Request as well as
Cross-Site Access Request with Preflight. This, of course, would only
include the white-listed headers.