From c39466236c895fc030f827b334132bdafcc53308 Mon Sep 17 00:00:00 2001 From: hmolsen Date: Wed, 18 Dec 2024 22:59:01 +0100 Subject: [PATCH] Reflect that GET, HEAD, and POST are always allowed methods We recently came across the behaviour that even a non-simple POST request is allowed by the browsers, even if POST is not explicitely stated in the A-C-Allow-Methods header. So I looked it up in the specification and found that in fact _all_ GET, HEAD, and POST requests are CORS-safelisted methods (see also fetch-spec https://fetch.spec.whatwg.org/#ref-for-cors-safelisted-method%E2%91%A2). A google search revealed that I am not alone in being confused by this. This MDN page added to the confusion, as it shows an example allowing explicitely GET and POST by using this header, which does not make sense, as these HTTP methods are always allowed either way. So I changed the example to be more meaningful and added a short description to the directive. --- .../web/http/headers/access-control-allow-methods/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/en-us/web/http/headers/access-control-allow-methods/index.md b/files/en-us/web/http/headers/access-control-allow-methods/index.md index d9d79b6476c3102..a42f0101d608a35 100644 --- a/files/en-us/web/http/headers/access-control-allow-methods/index.md +++ b/files/en-us/web/http/headers/access-control-allow-methods/index.md @@ -32,7 +32,7 @@ Access-Control-Allow-Methods: * ## Directives - `` - - : A comma-separated list of the allowed request methods. + - : A comma-separated list of the allowed request methods. `GET`, `HEAD`, and `POST` are always allowed, regardless of whether they are specified in this header, as they are defined as [CORS-safelisted method](https://fetch.spec.whatwg.org/#cors-safelisted-method)s. - `*` (wildcard) - : All HTTP methods. It has this meaning only for requests without credentials (requests without [HTTP cookies](/en-US/docs/Web/HTTP/Cookies) or HTTP authentication information). In requests with credentials, it is @@ -41,7 +41,7 @@ Access-Control-Allow-Methods: * ## Examples ```http -Access-Control-Allow-Methods: GET, POST +Access-Control-Allow-Methods: PUT, DELETE Access-Control-Allow-Methods: * ```