From c3766629e2b90dafb73fa852440f7fb57c6ae5fe Mon Sep 17 00:00:00 2001 From: hmolsen Date: Thu, 19 Dec 2024 12:27:57 +0100 Subject: [PATCH] Reflect that GET, HEAD, and POST are always allowed methods (#37266) a non-simple POST request is allowed by the browsers, even if POST is not explicitly stated in the A-C-Allow-Methods header. changed the example to be more meaningful and added a short description to the directive. Co-authored-by: Brian Smith --- .../web/http/headers/access-control-allow-methods/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/en-us/web/http/headers/access-control-allow-methods/index.md b/files/en-us/web/http/headers/access-control-allow-methods/index.md index d9d79b6476c3102..a42f0101d608a35 100644 --- a/files/en-us/web/http/headers/access-control-allow-methods/index.md +++ b/files/en-us/web/http/headers/access-control-allow-methods/index.md @@ -32,7 +32,7 @@ Access-Control-Allow-Methods: * ## Directives - `` - - : A comma-separated list of the allowed request methods. + - : A comma-separated list of the allowed request methods. `GET`, `HEAD`, and `POST` are always allowed, regardless of whether they are specified in this header, as they are defined as [CORS-safelisted method](https://fetch.spec.whatwg.org/#cors-safelisted-method)s. - `*` (wildcard) - : All HTTP methods. It has this meaning only for requests without credentials (requests without [HTTP cookies](/en-US/docs/Web/HTTP/Cookies) or HTTP authentication information). In requests with credentials, it is @@ -41,7 +41,7 @@ Access-Control-Allow-Methods: * ## Examples ```http -Access-Control-Allow-Methods: GET, POST +Access-Control-Allow-Methods: PUT, DELETE Access-Control-Allow-Methods: * ```