diff --git a/api/client-server/presence.yaml b/api/client-server/presence.yaml
index 2a97e1ba..68b3ee56 100644
--- a/api/client-server/presence.yaml
+++ b/api/client-server/presence.yaml
@@ -83,6 +83,8 @@ paths:
       description: |-
         Get the given user's presence state.
       operationId: getPresence
+      security:
+        - accessToken: []
       parameters:
         - in: path
           type: string
@@ -121,6 +123,15 @@ paths:
           description: |-
             There is no presence state for this user. This user may not exist or
             isn't exposing presence information to you.
+        403:
+          description: You are not allowed to see this user's presence status.
+          examples:
+            application/json: {
+              "errcode": "M_FORBIDDEN",
+              "error": "You are not allowed to see their presence"
+            }
+          schema:
+            "$ref": "definitions/error.yaml"
       tags:
         - Presence
   "/presence/list/{userId}":
diff --git a/changelogs/client_server.rst b/changelogs/client_server.rst
index a34d1b00..603e0062 100644
--- a/changelogs/client_server.rst
+++ b/changelogs/client_server.rst
@@ -35,6 +35,8 @@ Unreleased changes
     (`#1274 <https://github.com/matrix-org/matrix-doc/pull/1274>`_).
   - Document the GET version of ``/login``
     (`#1361 <https://github.com/matrix-org/matrix-doc/pull/1361>`_).
+  - Document the CORS/preflight headers
+    (`#1365 <https://github.com/matrix-org/matrix-doc/pull/1365>`_).
 
 - Spec clarifications:
 
@@ -59,6 +61,8 @@ Unreleased changes
     (`#1245 <https://github.com/matrix-org/matrix-doc/pull/1244>`_).
   - Define what a ``RoomEvent`` is on ``/rooms/{roomId}/messages``
     (`#1380 <https://github.com/matrix-org/matrix-doc/pull/1380>`_).
+  - Mark ``GET /presence/{userId}/status`` as requiring authentication
+    (`#1371 <https://github.com/matrix-org/matrix-doc/pull/1371>`_).
   - Describe ``StateEvent`` for ``/createRoom``
     (`#1329 <https://github.com/matrix-org/matrix-doc/pull/1329>`_).
   - Describe how the ``reason`` is handled for kicks/bans
diff --git a/changelogs/client_server/newsfragments/1397.feature b/changelogs/client_server/newsfragments/1397.feature
new file mode 100644
index 00000000..e4bd248a
--- /dev/null
+++ b/changelogs/client_server/newsfragments/1397.feature
@@ -0,0 +1 @@
+Document message formats on ``m.text`` and ``m.emote`` messages
diff --git a/event-schemas/examples/m.room.message#m.emote b/event-schemas/examples/m.room.message#m.emote
index 4280928e..79292ddf 100644
--- a/event-schemas/examples/m.room.message#m.emote
+++ b/event-schemas/examples/m.room.message#m.emote
@@ -2,7 +2,9 @@
   "age": 242352,
   "content": {
     "body": "thinks this is an example emote",
-    "msgtype": "m.emote"
+    "msgtype": "m.emote",
+    "format": "org.matrix.custom.html",
+    "formatted_body": "thinks <b>this</b> is an example emote"
   },
   "origin_server_ts": 1431961217939,
   "event_id": "$WLGTSEFSEF:localhost",
diff --git a/event-schemas/examples/m.room.message#m.text b/event-schemas/examples/m.room.message#m.text
index e00c7aa5..48a97db8 100644
--- a/event-schemas/examples/m.room.message#m.text
+++ b/event-schemas/examples/m.room.message#m.text
@@ -2,7 +2,9 @@
   "age": 242352,
   "content": {
     "body": "This is an example text message",
-    "msgtype": "m.text"
+    "msgtype": "m.text",
+    "format": "org.matrix.custom.html",
+    "formatted_body": "<b>This is an example text message</b>"
   },
   "origin_server_ts": 1431961217939,
   "event_id": "$WLGTSEFSEF:localhost",
diff --git a/event-schemas/schema/m.room.message#m.emote b/event-schemas/schema/m.room.message#m.emote
index 88860cb2..f67a184b 100644
--- a/event-schemas/schema/m.room.message#m.emote
+++ b/event-schemas/schema/m.room.message#m.emote
@@ -12,6 +12,16 @@ properties:
         enum:
           - m.emote
         type: string
+      format:
+        description: |-
+          The format used in the ``formatted_body``. Currently only
+          ``org.matrix.custom.html`` is supported.
+        type: string
+      formatted_body:
+        description: |-
+          The formatted version of the ``body``. This is required if ``format``
+          is specified.
+        type: string
     required:
       - msgtype
       - body
diff --git a/event-schemas/schema/m.room.message#m.text b/event-schemas/schema/m.room.message#m.text
index 2720172d..b481bcea 100644
--- a/event-schemas/schema/m.room.message#m.text
+++ b/event-schemas/schema/m.room.message#m.text
@@ -12,6 +12,16 @@ properties:
         enum:
           - m.text
         type: string
+      format:
+        description: |-
+          The format used in the ``formatted_body``. Currently only
+          ``org.matrix.custom.html`` is supported.
+        type: string
+      formatted_body:
+        description: |-
+          The formatted version of the ``body``. This is required if ``format``
+          is specified.
+        type: string
     required:
       - msgtype
       - body
diff --git a/specification/client_server_api.rst b/specification/client_server_api.rst
index dec3a4f4..8dde4302 100644
--- a/specification/client_server_api.rst
+++ b/specification/client_server_api.rst
@@ -164,6 +164,25 @@ recommended.
 
 {{versions_cs_http_api}}
 
+Web Browser Clients
+-------------------
+
+It is realistic to expect that some clients will be written to be run within a
+web browser or similar environment. In these cases, the homeserver should respond
+to pre-flight requests and supply Cross-Origin Resource Sharing (CORS) headers on
+all requests.
+
+When a client approaches the server with a pre-flight (``OPTIONS``) request, the
+server should respond with the CORS headers for that route. The recommended CORS
+headers to be returned by servers on all requests are:
+
+.. code::
+
+  Access-Control-Allow-Origin: *
+  Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
+  Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
+
+
 Client Authentication
 ---------------------