Missing ABNF for additional headers

[jub0bs]

The spec provides no ABNF for the additional headers. This is in contrast with the Fetch standard, which provides ABNF for all the CORS-specific headers.

I believe this absence should be remedied. In particular, the spec should clarify that Access-Control-Request-Private-Network and Access-Control-Allow-Private-Network are singleton fields, not list-based fields (see RFC 9110); this distinction matters in the logic of extract header list values and therefore does matter for implementing of CORS middleware that support PNA.

I suggest the following ABNF:

Access-Control-Request-Private-Network = %s"true" ; case-sensitive
Access-Control-Allow-Private-Network   = %s"true" ; case-sensitive

[jub0bs]

Related to #132

[annevk]

Hmm, "extract header list values" is a legacy algorithm that new specifications shouldn't use.

[jub0bs]

@annevk Interesting. I didn't know that, and whatwg/fetch#814 wasn't on my radar.

Incidentally, I do wish RFC 9110 didn't require recipients to tolerate arbitrarily long OWS around the elements of a list-based field value. As a result, performance suffers in the face of malicious messages containing long OWS.