oauthstuff · danielfett · Jun 5, 2023 · Jun 5, 2023 · Jun 5, 2023 · Jun 5, 2023
diff --git a/documenthistory.md b/documenthistory.md
@@ -2,6 +2,13 @@
 
    [[ To be removed from the final specification ]]
 
+   -23
+
+   * Added CORS considerations
+   * Reworded (#client_impersonating_countermeasures) to be more in line with OAuth 2.1
+   * Editorial changes
+   * Clarifications and updated references
+
    -22
 
    * Added section on securing in-browser communication

diff --git a/recommendations.md b/recommendations.md
@@ -241,3 +241,10 @@ If the authorization response is sent with in-browser communication techniques
 like postMessage [@postmessage_api] instead of HTTP redirects, both the
 initiator and receiver of the in-browser message MUST be strictly verified as described
 in (#rec_ibc).
+
+To support browser-based clients, endpoints directly accessed by such clients
+including the Token Endpoint, Authorization Server Metadata Endpoint, `jwks_uri`
+Endpoint, and the Dynamic Client Registration Endpoint MAY support the use of
+Cross-Origin Resource Sharing (CORS, [@CORS]). However, CORS MUST NOT be
+supported at the Authorization Endpoint as the client does not access this
+endpoint directly, instead the client redirects the user agent to it.
diff --git a/references.md b/references.md
@@ -295,3 +295,11 @@ OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
     <date />
   </front>
 </reference>
+
+<reference anchor="CORS" target="https://fetch.spec.whatwg.org/#http-cors-protocol">
+  <front>
+    <title>Fetch Standard: CORS protocol</title>
+    <author>WHATWG</author>
+    <date />
+  </front>
+</reference>