minor fixes

5-network/05-fetch-crossorigin/article.md

@@ -214,6 +214,7 @@ A preflight request uses method `OPTIONS`, no body and two headers:
 
 If the server agrees to serve the requests, then it should respond with empty body, status 200 and headers:
 
+- `Access-Control-Allow-Origin` must be either `*` or the requesting origin, such as `https://javascript.info`, to allow it.
 - `Access-Control-Allow-Methods` must have the allowed method.
 - `Access-Control-Allow-Headers` must have a list of allowed headers.
 - Additionally, the header `Access-Control-Max-Age` may specify a number of seconds to cache the permissions. So the browser won't have to send a preflight for subsequent requests that satisfy given permissions.
@@ -265,10 +266,13 @@ The server should respond with status 200 and headers:
 
 That allows future communication, otherwise an error is triggered.
 
-If the server expects other methods and headers in the future, it makes sense to allow them in advance by adding to the list:
+If the server expects other methods and headers in the future, it makes sense to allow them in advance by adding to the list.
+
+For example, this response also allows `PUT`, `DELETE` and additional headers:
 
 ```http
 200 OK
+Access-Control-Allow-Origin: https://javascript.info
 Access-Control-Allow-Methods: PUT,PATCH,DELETE
 Access-Control-Allow-Headers: API-Key,Content-Type,If-Modified-Since,Cache-Control
 Access-Control-Max-Age: 86400
@@ -276,7 +280,7 @@ Access-Control-Max-Age: 86400
 
 Now the browser can see that `PATCH` is in `Access-Control-Allow-Methods` and `Content-Type,API-Key` are in the list `Access-Control-Allow-Headers`, so it sends out the main request.
 
-Besides, the preflight response is cached for time, specified by `Access-Control-Max-Age` header (86400 seconds, one day), so subsequent requests will not cause a preflight. Assuming that they fit the cached allowances, they will be sent directly.
+If there's header `Access-Control-Max-Age` with a number of seconds, then the preflight permissions are cached for the given time. The response above will be cached for 86400 seconds (one day). Within this timeframe, subsequent requests will not cause a preflight. Assuming that they fit the cached allowances, they will be sent directly.
 
 ### Step 3 (actual request)
 

5-network/05-fetch-crossorigin/xhr-another-domain.svg

@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="633" height="411" viewBox="0 0 633 411"><defs><style>@import url(https://fonts.googleapis.com/css?family=Open+Sans:bold,italic,bolditalic%7CPT+Mono);@font-face{font-family:&apos;PT Mono&apos;;font-weight:700;font-style:normal;src:local(&apos;PT MonoBold&apos;),url(/font/PTMonoBold.woff2) format(&apos;woff2&apos;),url(/font/PTMonoBold.woff) format(&apos;woff&apos;),url(/font/PTMonoBold.ttf) format(&apos;truetype&apos;)}</style></defs><g id="network" fill="none" fill-rule="evenodd" stroke="none" stroke-width="1"><g id="xhr-another-domain.svg"><path id="Rectangle-227" fill="#FFF9EB" stroke="#E8C48E" stroke-width="2" d="M1 16h128v64H1z"/><text id="JavaScript" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="35" y="50">JavaScript</tspan></text><path id="Rectangle-228" fill="#FFF9EB" stroke="#E8C48E" stroke-width="2" d="M261 16h128v64H261z"/><text id="Browser" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="296" y="50">Browser</tspan></text><path id="Rectangle-229" fill="#FFF9EB" stroke="#E8C48E" stroke-width="2" d="M504 16h128v64H504z"/><text id="Server" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="544" y="50">Server</tspan></text><path id="Line" stroke="#979797" stroke-linecap="square" d="M66 81v320M326 81v320M569 81v320"/><path id="Line" fill="#EE6B47" fill-rule="nonzero" d="M312 133l14 7-14 7v-6H66v-2h246v-6z"/><text id="Origin:-https://java" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="354.313" y="205">Origin: https://javascript.info</tspan></text><text id="HTTP-request" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="401.015" y="174">HTTP-request</tspan></text><text id="fetch()" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="171" y="131">fetch()</tspan></text><text id="HTTP-response" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="398.419" y="250">HTTP-response</tspan></text><text id="Access-Control-Allow" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="355" y="287">Access-Control-Allow-Origin: </tspan> <tspan x="360.13" y="305">* OR https://javascript.info</tspan></text><text id="if-the-header-allows" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="85" y="325">if the header allows, then success,</tspan></text><text id="otherwise-fail" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="148" y="353">otherwise fail</tspan></text><path id="Line" fill="#EE6B47" fill-rule="nonzero" d="M554 180l14 7-14 7v-6H328v-2h226v-6z"/><path id="Line-2" fill="#EE6B47" fill-rule="nonzero" d="M340 258v6h228v2H340v6l-14-7 14-7z"/><path id="Line-3" fill="#EE6B47" fill-rule="nonzero" d="M80 326v6h247v2H80v6l-14-7 14-7z"/></g></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="633" height="411" viewBox="0 0 633 411"><defs><style>@import url(https://fonts.googleapis.com/css?family=Open+Sans:bold,italic,bolditalic%7CPT+Mono);@font-face{font-family:&apos;PT Mono&apos;;font-weight:700;font-style:normal;src:local(&apos;PT MonoBold&apos;),url(/font/PTMonoBold.woff2) format(&apos;woff2&apos;),url(/font/PTMonoBold.woff) format(&apos;woff&apos;),url(/font/PTMonoBold.ttf) format(&apos;truetype&apos;)}</style></defs><g id="network" fill="none" fill-rule="evenodd" stroke="none" stroke-width="1"><g id="xhr-another-domain.svg"><path id="Rectangle-227" fill="#FFF9EB" stroke="#E8C48E" stroke-width="2" d="M1 16h128v64H1z"/><text id="JavaScript" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="35" y="50">JavaScript</tspan></text><path id="Rectangle-228" fill="#FFF9EB" stroke="#E8C48E" stroke-width="2" d="M261 16h128v64H261z"/><text id="Browser" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="296" y="50">Browser</tspan></text><path id="Rectangle-229" fill="#FFF9EB" stroke="#E8C48E" stroke-width="2" d="M504 16h128v64H504z"/><text id="Server" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="544" y="50">Server</tspan></text><path id="Line" stroke="#979797" stroke-linecap="square" d="M66 81v320M326 81v320M569 81v320"/><path id="Line" fill="#EE6B47" fill-rule="nonzero" d="M312 133l14 7-14 7v-6H66v-2h246v-6z"/><text id="Origin:-https://java" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="354.313" y="205">Origin: https://javascript.info</tspan></text><text id="HTTP-request" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="401.015" y="174">HTTP-request</tspan></text><text id="fetch()" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="171" y="131">fetch()</tspan></text><text id="HTTP-response" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="398.419" y="250">HTTP-response</tspan></text><text id="Access-Control-Allow" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="347.5" y="287">Access-Control-Allow-Origin: * </tspan> <tspan x="364.361" y="305">(or https://javascript.info)</tspan></text><text id="if-the-header-allows" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="85" y="325">if the header allows, then success,</tspan></text><text id="otherwise-fail" fill="#8A704D" font-family="OpenSans-Regular, Open Sans" font-size="14" font-weight="normal"><tspan x="148" y="353">otherwise fail</tspan></text><path id="Line" fill="#EE6B47" fill-rule="nonzero" d="M554 180l14 7-14 7v-6H328v-2h226v-6z"/><path id="Line-2" fill="#EE6B47" fill-rule="nonzero" d="M340 258v6h228v2H340v6l-14-7 14-7z"/><path id="Line-3" fill="#EE6B47" fill-rule="nonzero" d="M80 326v6h247v2H80v6l-14-7 14-7z"/></g></g></svg>