Reflect that GET, HEAD, and POST are always allowed methods (#37266)

a non-simple POST request is allowed by the browsers, even if POST is not explicitly stated in the A-C-Allow-Methods header. changed the example to be more meaningful and added a short description to the <method> directive. Co-authored-by: Brian Smith <[email protected]>
mdn · Dec 19, 2024 · c376662 · c376662
1 parent 2524fe4
commit c376662
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/files/en-us/web/http/headers/access-control-allow-methods/index.md b/files/en-us/web/http/headers/access-control-allow-methods/index.md
@@ -32,7 +32,7 @@ Access-Control-Allow-Methods: *
 ## Directives
 
 - `<method>`
-  - : A comma-separated list of the allowed request methods.
+  - : A comma-separated list of the allowed request methods. `GET`, `HEAD`, and `POST` are always allowed, regardless of whether they are specified in this header, as they are defined as [CORS-safelisted method](https://fetch.spec.whatwg.org/#cors-safelisted-method)s.
 - `*` (wildcard)
   - : All HTTP methods.
     It has this meaning only for requests without credentials (requests without [HTTP cookies](/en-US/docs/Web/HTTP/Cookies) or HTTP authentication information). In requests with credentials, it is
@@ -41,7 +41,7 @@ Access-Control-Allow-Methods: *
 ## Examples
 
 ```http
-Access-Control-Allow-Methods: GET, POST
+Access-Control-Allow-Methods: PUT, DELETE
 Access-Control-Allow-Methods: *
 ```