Clarify allowed HTTP methods in CORS responses (take 2) (#2011)

* Clarify allowed HTTP methods in CORS responses (take 2)

Signed-off-by: Kévin Commaille <[email protected]>

* Update previous changelog an add duplicate changelog

Signed-off-by: Kévin Commaille <[email protected]>

---------

Signed-off-by: Kévin Commaille <[email protected]>

changelogs/client_server/newsfragments/1995.feature

@@ -1 +1 @@
-Add `PATCH` and `HEAD` to the allowed HTTP methods in CORS responses, as per [MSC4138](https://github.com/matrix-org/matrix-spec-proposals/pull/4138).
+Clarify the allowed HTTP methods in CORS responses, as per [MSC4138](https://github.com/matrix-org/matrix-spec-proposals/pull/4138).

changelogs/client_server/newsfragments/2011.feature

@@ -0,0 +1 @@
+Clarify the allowed HTTP methods in CORS responses, as per [MSC4138](https://github.com/matrix-org/matrix-spec-proposals/pull/4138).

content/client-server-api/_index.md

@@ -322,11 +322,17 @@ respond with the CORS headers for that route. The recommended CORS
 headers to be returned by servers on all requests are:
 
     Access-Control-Allow-Origin: *
-    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD
+    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
     Access-Control-Allow-Headers: X-Requested-With, Content-Type, Authorization
 
-{{% changed-in v="1.13" %}} `PATCH` and `HEAD` were added to the list for the
-`Access-Control-Allow-Methods` header.
+{{% boxes/note %}}
+{{% added-in v="1.13" %}} The recommended value of the `Access-Control-Allow-Methods`
+header only covers the existing endpoints in the specification. Servers which
+support additional endpoints or methods should add those methods as well.
+
+This section will be updated whenever a new method is supported by an endpoint.
+Examples of possible future-use methods include `PATCH` and `HEAD`.
+{{% /boxes/note %}}
 
 ## Server Discovery