Security error. Which seemed to kind of make sense. Didn't seem to be allowed via Javascript. Googling now it seems like it might be possible if you write the header to the AJAX HTTP request explicitly. I might play more with that later. Granted, there, for most users, the difference would be minimal since most presumably wouldn't read the page's Javascript to verify what we'd said.