Add Last-Event-ID to CORS-safelisted headers

The EventSource API does _not_ run any preflight request when specifying
the `Last-Event-ID` header, and so `fetch` requests should also allow
this header to be set manually.

See whatwg/fetch#568 for more information

Author: rexxars

fetch/api/cors/cors-no-preflight.any.js

@@ -39,3 +39,5 @@ corsNoPreflight("Cross domain [GET] [Content-Type: multipart/form-data]", host_i
 corsNoPreflight("Cross domain [GET] [Content-Type: text/plain]", host_info.HTTP_REMOTE_ORIGIN, "GET" , "Content-Type", "text/plain");
 corsNoPreflight("Cross domain [GET] [Content-Type: text/plain;charset=utf-8]", host_info.HTTP_REMOTE_ORIGIN, "GET" , "Content-Type", "text/plain;charset=utf-8");
 corsNoPreflight("Cross domain [GET] [Content-Type: Text/Plain;charset=utf-8]", host_info.HTTP_REMOTE_ORIGIN, "GET" , "Content-Type", "Text/Plain;charset=utf-8");
+corsNoPreflight("Cross domain [GET] [Last-Event-ID: evt-14]", host_info.HTTP_REMOTE_ORIGIN, "GET", "Last-Event-ID", "evt-14");
+corsNoPreflight("Cross domain [GET] [Last-Event-ID: EvT-15]", host_info.HTTP_REMOTE_ORIGIN, "GET", "Last-Event-ID", "EvT-15");

fetch/api/cors/resources/not-cors-safelisted.json

@@ -8,6 +8,8 @@
   ["content-language", "@"],
   ["content-type", "text/html"],
   ["content-type", "text/plain; long=0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901"],
+  ["last-event-id", "\""],
+  ["lsat-event-id", "012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678"],
   ["range", "bytes 0-"],
   ["test", "hi"]
 ]