diff --git a/specification/client_server_api.rst b/specification/client_server_api.rst
index f7a7d509..33ee8b1a 100644
--- a/specification/client_server_api.rst
+++ b/specification/client_server_api.rst
@@ -169,7 +169,8 @@ Web Browser Clients
 
 It is realistic to expect that some clients will be written to be run within a
 web browser or similar environment. In these cases, the homeserver should respond
-to pre-flight requests and supply Cross-Origin Resource Sharing (CORS) headers.
+to pre-flight requests and supply Cross-Origin Resource Sharing (CORS) headers on
+all requests.
 
 When a client approaches the server with a pre-flight (``OPTIONS``) request, the
 server should respond with the CORS headers for that route. If the route does not