From 846cc49eb2a845f1715bbcc404daba4b9e9c05ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Commaille?=
 <76261501+zecakeh@users.noreply.github.com>
Date: Wed, 11 Dec 2024 18:21:49 +0100
Subject: [PATCH] Clarify allowed HTTP methods in CORS responses (take 2)
 (#2011)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Clarify allowed HTTP methods in CORS responses (take 2)

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>

* Update previous changelog an add duplicate changelog

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>

---------

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
---
 changelogs/client_server/newsfragments/1995.feature |  2 +-
 changelogs/client_server/newsfragments/2011.feature |  1 +
 content/client-server-api/_index.md                 | 12 +++++++++---
 3 files changed, 11 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/client_server/newsfragments/2011.feature

diff --git a/changelogs/client_server/newsfragments/1995.feature b/changelogs/client_server/newsfragments/1995.feature
index 248ca0e37..5dd1a1266 100644
--- a/changelogs/client_server/newsfragments/1995.feature
+++ b/changelogs/client_server/newsfragments/1995.feature
@@ -1 +1 @@
-Add `PATCH` and `HEAD` to the allowed HTTP methods in CORS responses, as per [MSC4138](https://github.com/matrix-org/matrix-spec-proposals/pull/4138).
+Clarify the allowed HTTP methods in CORS responses, as per [MSC4138](https://github.com/matrix-org/matrix-spec-proposals/pull/4138).
diff --git a/changelogs/client_server/newsfragments/2011.feature b/changelogs/client_server/newsfragments/2011.feature
new file mode 100644
index 000000000..5dd1a1266
--- /dev/null
+++ b/changelogs/client_server/newsfragments/2011.feature
@@ -0,0 +1 @@
+Clarify the allowed HTTP methods in CORS responses, as per [MSC4138](https://github.com/matrix-org/matrix-spec-proposals/pull/4138).
diff --git a/content/client-server-api/_index.md b/content/client-server-api/_index.md
index 784a57deb..33ed8c56f 100644
--- a/content/client-server-api/_index.md
+++ b/content/client-server-api/_index.md
@@ -322,11 +322,17 @@ respond with the CORS headers for that route. The recommended CORS
 headers to be returned by servers on all requests are:
 
     Access-Control-Allow-Origin: *
-    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD
+    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
     Access-Control-Allow-Headers: X-Requested-With, Content-Type, Authorization
 
-{{% changed-in v="1.13" %}} `PATCH` and `HEAD` were added to the list for the
-`Access-Control-Allow-Methods` header.
+{{% boxes/note %}}
+{{% added-in v="1.13" %}} The recommended value of the `Access-Control-Allow-Methods`
+header only covers the existing endpoints in the specification. Servers which
+support additional endpoints or methods should add those methods as well.
+
+This section will be updated whenever a new method is supported by an endpoint.
+Examples of possible future-use methods include `PATCH` and `HEAD`.
+{{% /boxes/note %}}
 
 ## Server Discovery