Editorial: clarify preflight request headers

jub0bs · web-flow · commit d6bf40656ecf · 2023-11-08T09:53:46.000+01:00
Clarify that, although CORS-preflight requests systematically include an Access-Control-Request-Method header, they do not systematically include an Access-Control-Request-Headers header. Fixes #1717.
diff --git a/fetch.bs b/fetch.bs
@@ -3386,13 +3386,17 @@ for all <a for=/>requests</a> whose <a for=request>method</a> is neither `<code>
 
 <p>A <dfn id=cors-preflight-request export>CORS-preflight request</dfn> is a <a>CORS request</a>
 that checks to see if the <a>CORS protocol</a> is understood. It uses `<code>OPTIONS</code>` as
-<a for=/>method</a> and includes these <a for=/>headers</a>:
+<a for=/>method</a> and includes the following <a for=/>header</a>:
 
 <dl>
  <dt>`<dfn export http-header id=http-access-control-request-method><code>Access-Control-Request-Method</code></dfn>`
  <dd><p>Indicates which <a for=/>method</a> a future
  <a>CORS request</a> to the same resource might use.
+</dl>
+
+<p>A <a>CORS-preflight request</a> can also include the following <a for=/>header</a>:
 
+<dl>
  <dt>`<dfn export http-header id=http-access-control-request-headers><code>Access-Control-Request-Headers</code></dfn>`
  <dd><p>Indicates which <a for=/>headers</a> a future
  <a>CORS request</a> to the same resource might use.
