Document CORS safelist exceptions

fetch.bs

@@ -445,6 +445,9 @@ whose <a for=header>name</a> is a <a>byte-case-insensitive</a> match for one of
 <p>and whose <a for=header>value</a>, <a lt="extract header values">once extracted</a>, is not
 failure.
 
+<p class="note">There are limited exceptions to the `<code>Content-Type</code>` header safelist, as
+documented in <a href=#cors-protocol-exceptions>CORS protocol exceptions</a>.
+
 <p>A <dfn export>CORS non-wildcard request-header name</dfn> is a <a>byte-case-insensitive</a> match
 for `<code>Authorization</code>`.
 
@@ -2226,6 +2229,20 @@ Access-Control-Allow-Credentials: true</pre>
  ignored.
 </div>
 
+<h4 id=cors-protocol-exceptions>CORS protocol exceptions</h4>
+
+<p>Specifications have allowed limited exceptions to the CORS safelist for non-safelisted
+`<code>Content-Type</code>` header values. These exceptions are made for requests that can be
+triggered by web content but whose headers and bodies can be only minimally controlled by the web
+content. Therefore, servers should expect cross-origin web content to be allowed to trigger
+non-preflighted requests with the following non-safelisted `<code>Content-Type</code>` header
+values: `<code>application/csp-report</code>`, `<code>application/report</code>`,
+`<code>application/expect-ct-report+json</code>`, and `<code>application/ocsp-request</code>`.
+
+<p>Specifications should avoid introducing new exceptions and should only do so with careful
+consideration for the security consequences. New exceptions can be proposed by
+<a href=https://github.com/whatwg/fetch/issues/new>filing an issue</a>.
+
 
 <h3 id=x-content-type-options-header>`<code>X-Content-Type-Options</code>` header</h3>