Our CORS implementation maintains a safelist of all permitted headers, and this list includes not only all headers in the spec, but all client hint headers. There appears to have been an oversight which omitted network quality client-hint headers from this list. These are `rtt`, `downlink`, and `ect`.
This is really just a bugfix, but I wanted to give the community a heads up that I intend to resolve this oversight. Thanks to Cloudinary for notifying us of this issue.
We currently allow XHR to modify client hints headers that don't start with `sec-` in CORS requests despite them being safelisted. This change won't resolve that, but that issue is the next one to be addressed after this goes in.
WPTs were added in addition to a unit test to demonstrate usage.