docs(0009): recommend cors headers for spsp

interledger · Jun 1, 2020 · b3159a9 · b3159a9
1 parent 976174e
commit b3159a9
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/0009-simple-payment-setup-protocol/0009-simple-payment-setup-protocol.md b/0009-simple-payment-setup-protocol/0009-simple-payment-setup-protocol.md
@@ -1,7 +1,7 @@
 ---
 title: The Simple Payment Setup Protocol (SPSP)
 type: working-draft
-draft: 11
+draft: 12
 ---
 # Simple Payment Setup Protocol (SPSP)
 
@@ -63,6 +63,19 @@ Host: example.com
 Accept: application/spsp4+json, application/spsp+json
 ```
 
+##### Request Headers to Support Web Monetization Polyfills
+
+[Web Monetization](../0028-web-monetization/0028-web-monetization.md) polyfills may query SPSP from a non-privileged context they are implemented as a script rather than a browser extension. Sites may choose to use a script-based polyfill to enable Web Monetization for their visitors without requiring any browser extension or browser support.
+
+In this situation, [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) headers are necessary to make the SPSP server reachable. If CORS headers are not included, the SPSP query will be rejected and Web Monetization will fail to initialize.
+
+SPSP servers SHOULD expose the CORS headers listed below on `GET <SPSP Endpoint>` **and `OPTIONS <SPSP Endpoint>`**.
+
+| Header | Value |
+|:---|:---|
+| `Access-Control-Allow-Origin` | `*` |
+| `Access-Control-Allow-Headers` | `web-monetization-id` |
+
 ##### Request Headers to Support STREAM Receipts
 
 The request MAY contain at least the following headers in order to pre-share [STREAM Receipt](../0039-stream-receipts/0039-stream-receipts.md) details between the SPSP Server and [receipt verifier](../0039-stream-receipts/0039-stream-receipts.md#conventions-and-definitions):