Document CORS safelist exceptions

fetch.bs

@@ -97,6 +97,22 @@ url: https://tools.ietf.org/html/rfc7234#section-1.2.1;text:delta-seconds;type:d
         "publisher": "US-CERT",
         "href": "https://www.kb.cert.org/vuls/id/150227",
         "title": "HTTP proxy default configurations allow arbitrary TCP connections."
+    },
+    "REPORTING": {
+        "authors": ["Ilya Grigorik", "Mike West"],
+        "href": "https://wicg.github.io/reporting/",
+        "title": "Reporting API"
+    },
+    "EXPECT-CT": {
+        "authors": [
+            "Emily Stark"
+        ],
+        "href": "https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02",
+        "publisher": "IETF",
+        "title": "Expect-CT Extension for HTTP"
+    },
+    "OCSP": {
+        "aliasOf": "RFC2560"
     }
 }
 </pre>
@@ -2236,8 +2252,10 @@ Access-Control-Allow-Credentials: true</pre>
 triggered by web content but whose headers and bodies can be only minimally controlled by the web
 content. Therefore, servers should expect cross-origin web content to be allowed to trigger
 non-preflighted requests with the following non-safelisted `<code>Content-Type</code>` header
-values: `<code>application/csp-report</code>`, `<code>application/report</code>`,
-`<code>application/expect-ct-report+json</code>`, and `<code>application/ocsp-request</code>`.
+values:
+`<code>application/csp-report</code>` [[CSP]], `<code>application/report</code>` [[REPORTING]],
+`<code>application/expect-ct-report+json</code>` [[EXPECT-CT]],
+`<code>application/xss-auditor-report</code>`, and `<code>application/ocsp-request</code>` [[OCSP]].
 
 <p>Specifications should avoid introducing new exceptions and should only do so with careful
 consideration for the security consequences. New exceptions can be proposed by