From 4ca54404fa4ae3b2ae58c34688204883e4c94903 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travpc@gmail.com>
Date: Tue, 3 Jul 2018 16:15:29 -0600
Subject: [PATCH] Document the CORS/preflight headers

Fixes https://github.com/matrix-org/matrix-doc/issues/1006
---
 specification/client_server_api.rst | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/specification/client_server_api.rst b/specification/client_server_api.rst
index dec3a4f4..f7a7d509 100644
--- a/specification/client_server_api.rst
+++ b/specification/client_server_api.rst
@@ -164,6 +164,26 @@ recommended.
 
 {{versions_cs_http_api}}
 
+Web Browser Clients
+-------------------
+
+It is realistic to expect that some clients will be written to be run within a
+web browser or similar environment. In these cases, the homeserver should respond
+to pre-flight requests and supply Cross-Origin Resource Sharing (CORS) headers.
+
+When a client approaches the server with a pre-flight (``OPTIONS``) request, the
+server should respond with the CORS headers for that route. If the route does not
+exist, the server should return an ``M_NOT_FOUND`` error with a 404 status code.
+
+The standard CORS headers to be returned by servers on all requests are:
+
+.. code::
+
+  Access-Control-Allow-Origin: *
+  Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
+  Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
+
+
 Client Authentication
 ---------------------