Add Last-Event-ID as CORS-safelisted request-header

annevk · annevk · commit aa394cf04371 · 2017-09-04T19:32:59.000+02:00
It turns out that you can set the Last-Event-ID request header to arbitrary values and get it across origins. That seems like sufficient reason to safelist it and hopefully make it clear to server administrators to pay extra attention to this header. Tests: ... Fixes #568.
diff --git a/fetch.bs b/fetch.bs
@@ -426,6 +426,7 @@ whose <a for=header>name</a> is a <a>byte-case-insensitive</a> match for one of
  <a lt="extract header values">once extracted</a>, has a MIME type (ignoring parameters)
  that is `<code>application/x-www-form-urlencoded</code>`,
  `<code>multipart/form-data</code>`, or `<code>text/plain</code>`
+ <li>`<code>Last-Event-ID</code>`
 </ul>
 <!-- XXX * needs better xref
          * ignoring parameters has been the standard for a long time now
