Add Range to no-cors safelisted headers

[joeyparrish]

What is the issue with the Fetch Standard?

Range requests are critical in media streaming applications, and I believe they should be safe for no-cors mode. I would like them to be added to the list of no-cors safelisted headers: https://fetch.spec.whatwg.org/#no-cors-safelisted-request-header-name

See conversation in #1310.

[joeyparrish]

Also, much gratitude to @annevk for patiently explaining things to us and for filing mdn/content#35488

[annevk]

Every time we have expanded what no-cors can do we have regretted it. There's also a general policy that new features need to use CORS. This idea has the backing of Chrome's security team? I'm very much opposed to this.