[whatwg/fetch] Wording suggests that CORS-preflight requests systematically include an Access-Control-Request-Headers header (Issue #1717)

### What is the issue with the Fetch Standard?

[Section 3.2.2](https://fetch.spec.whatwg.org/#http-requests) contains the following passage:

> A CORS-preflight request is a CORS request that checks to see if the CORS protocol is understood. It uses `OPTIONS` as method _and includes these headers_:
>
> * `Access-Control-Request-Method`
Indicates which method a future CORS request to the same resource might use.
> 
> * `Access-Control-Request-Headers`
> Indicates which headers a future CORS request to the same resource might use.

(my emphasis)

This wording seems to imply that CORS-preflight requests systematically include the two headers in question. However, in reality, CORS-preflight requests systematically contain an `Access-Control-Request-Method` header and _only optionally_ contain an `Access-Control-Request-Headers` header.

This ambiguity may lead developers of CORS middleware into [misclassifying CORS-preflight requests](https://jub0bs.com/posts/2023-02-08-fearless-cors/#4-categorise-requests-correctly).

---

I suggest a reformulation, perhaps something like the following:

> A CORS-preflight request is a CORS request that checks to see if the CORS protocol is understood. It uses `OPTIONS` as method _and systematically includes the following header:
>
> * `Access-Control-Request-Method`
Indicates which method a future CORS request to the same resource might use.
> 
> A CORS-preflight request may also include the following header:
> 
> * `Access-Control-Request-Headers`
> Indicates which headers a future CORS request to the same resource might use.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1717
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1717@github.com>