From c5d7eb7a2d18dc8e5481739769c3fe3348b9a953 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Commaille?=
 <76261501+zecakeh@users.noreply.github.com>
Date: Thu, 14 Nov 2024 12:51:06 +0100
Subject: [PATCH] Add `PATCH` and `HEAD` to the allowed HTTP methods in CORS
 responses (#1995)

---
 changelogs/client_server/newsfragments/1995.feature | 1 +
 content/client-server-api/_index.md                 | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/client_server/newsfragments/1995.feature

diff --git a/changelogs/client_server/newsfragments/1995.feature b/changelogs/client_server/newsfragments/1995.feature
new file mode 100644
index 00000000..248ca0e3
--- /dev/null
+++ b/changelogs/client_server/newsfragments/1995.feature
@@ -0,0 +1 @@
+Add `PATCH` and `HEAD` to the allowed HTTP methods in CORS responses, as per [MSC4138](https://github.com/matrix-org/matrix-spec-proposals/pull/4138).
diff --git a/content/client-server-api/_index.md b/content/client-server-api/_index.md
index 389ff927..66ca6316 100644
--- a/content/client-server-api/_index.md
+++ b/content/client-server-api/_index.md
@@ -314,9 +314,12 @@ respond with the CORS headers for that route. The recommended CORS
 headers to be returned by servers on all requests are:
 
     Access-Control-Allow-Origin: *
-    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
+    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD
     Access-Control-Allow-Headers: X-Requested-With, Content-Type, Authorization
 
+{{% changed-in v="1.13" %}} `PATCH` and `HEAD` were added to the list for the
+`Access-Control-Allow-Methods` header.
+
 ## Server Discovery
 
 In order to allow users to connect to a Matrix server without needing to