Created attachment 450774 [details]
Console log showing the failure scenario.

We have a web app that allows for offline behavior. When offline, the API calls that the UI would make are stored in a queue. Then when the device comes back online, the service worker parses the offline request queue and syncs the activities with the server via fetch calls. We are seeing that Safari (tested on iPad Pro and Mac) intermittently refuses to execute a request with an image in the body with the following error:

Failed to load resource: Request header field Cache-Control is not allowed by Access-Control-Allow-Headers

This is strange behavior because this header is automatically added to other requests and they execute without a problem. The problem only happens when both of the following conditions are met:

(i) The network request is made from the service worker queue (in our app, this means the device was offline but is coming back online)
(ii) The network request contains blob data in the body (in our case, an image. Plain JSON calls go through without an issue)

The error does not happen unless both of the above conditions are met. But if both of the conditions are met, the error appears intermittently. Sometimes the request goes through and othertimes it is blocked. 

From MDN ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers ), "CORS-safelisted request headers are always allowed" and therefore shouldn't need to be added to Access-Control-Allow-Headers. Cache-Control is listed as a CORS-safelisted response header: https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_response_header

We were able to work around this by adding Cache-Control to the server's Access-Control-Allow-Headers list, but it seemed like strange behavior so we wanted to report it.