Improve API endpoint compatibility by preventing CORS preflight request.

[richardkmichael]

The Content-Type and Referrer headers cause browsers implementing CORS to send a preflight (OPTION) request. If we remove them, our GET requests will be "simple", and no longer trigger a preflight.

Preventing the preflight and using a "simple" request makes it easier to work with endpoints that do not implement an OPTIONS response, but nevertheless do set Access-Control-Allow-Origin on the GET response. (Especially development environments.)

We do not need Content-Type because our GET requests have no payload.

Users requiring Referrer may add it explicitly with <autocomplete :request-headers="...">.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS https://developer.mozilla.org/en-US/docs/Web/API/Request/referrerPolicy

Tested on latest Chrome, Firefox and Safari. Should be fine back to June/July 2016 (Chrome 52, Firefox 47). Note, the MDN browser compat info for Request.referrerPolicy Safari seems incomplete: refererPolicy does work.