I think modifying headers like that requires pre-flight CORS and we can deny that.