From 92a8a4050aee040393115fa8e5a5ded8b28cbfd9 Mon Sep 17 00:00:00 2001
From: Manik Kapoor <71554953+Manik2375@users.noreply.github.com>
Date: Mon, 13 Dec 2021 18:28:58 +0530
Subject: [PATCH] addition-of-third-header-in-list

---
 5-network/05-fetch-crossorigin/article.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/5-network/05-fetch-crossorigin/article.md b/5-network/05-fetch-crossorigin/article.md
index d8d9bbb8..7c880ac0 100644
--- a/5-network/05-fetch-crossorigin/article.md
+++ b/5-network/05-fetch-crossorigin/article.md
@@ -207,10 +207,11 @@ Some time ago no one could even imagine that a webpage could make such requests.
 
 So, to avoid misunderstandings, any "unsafe" request -- that couldn't be done in the old times, the browser does not make such requests right away. First, it sends a preliminary, so-called "preflight" request, to ask for permission.
 
-A preflight request uses the method `OPTIONS`, no body and two headers:
+A preflight request uses the method `OPTIONS`, no body and three headers:
 
 - `Access-Control-Request-Method` header has the method of the unsafe request.
 - `Access-Control-Request-Headers` header provides a comma-separated list of its unsafe HTTP-headers.
+- `ORIGIN` header tells from where the request came. (such as `https://javascript.info`)
 
 If the server agrees to serve the requests, then it should respond with empty body, status 200 and headers: