From 10f4461de63af166b766442b2f8184a8a99a9561 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Commaille?= Date: Thu, 21 Nov 2024 09:53:43 +0100 Subject: [PATCH] Clarify allowed HTTP methods in CORS responses (take 2) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Kévin Commaille --- content/client-server-api/_index.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/content/client-server-api/_index.md b/content/client-server-api/_index.md index bfcbd031..9090f9b8 100644 --- a/content/client-server-api/_index.md +++ b/content/client-server-api/_index.md @@ -314,11 +314,17 @@ respond with the CORS headers for that route. The recommended CORS headers to be returned by servers on all requests are: Access-Control-Allow-Origin: * - Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD + Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: X-Requested-With, Content-Type, Authorization -{{% changed-in v="1.13" %}} `PATCH` and `HEAD` were added to the list for the -`Access-Control-Allow-Methods` header. +{{% boxes/note %}} +{{% added-in v="1.13" %}} The recommended value of the `Access-Control-Allow-Methods` +header only covers the existing endpoints in the specification. Servers which +support additional endpoints or methods should add those methods as well. + +This section will be updated whenever a new method is supported by an endpoint. +Examples of possible future-use methods include `PATCH` and `HEAD`. +{{% /boxes/note %}} ## Server Discovery