"Last-Event-ID" header, used by EventSource - http://dev.w3.org/html5/eventsource/ , should be a simple header
EventSource already allows CORS with this header without preflight
Seems, Firefox allows to use this headers for simple CORS request:
accept, accept-language, content-language, content-type, last-event-id
And Webkit allows:
accept, accept-language, content-language, content-type, origin, referer
That EventSource uses it does not mean everyone should be allowed to use it without preflight. It's just part of the EventSource protocol; it's not an author request header.
EventSource can not be polyfilled with XMLHttpRequest without it.
If EventSource can do this with CORS and passing through redirects, then there is no risks.
What is a main problem to include this header in simples headers list?
Isn't it too late to polyfill?
EventSource is much more limited in scope than XMLHttpRequest is, so there is some (largely theoretical) risk.
I don't really mind either way, I suggest talking to some implementors.
>>Isn't it too late to polyfill?
I think, it is not.
We decided at the F2F that we do not want to expand the list of simple headers. We want to make CORS more stable and this proposal does not have much merit (EventSource is in almost all browsers already, and in those it is not Last-Event-ID is not a simple header either so that doesn't help either way), and therefore is rejected.
*** This bug has been marked as a duplicate of bug 17042 ***