From bfa3cb7f97d9be95951bbf20e97b5e92ce5e198d Mon Sep 17 00:00:00 2001
From: Michael Feldstein <msfeldstein@gmail.com>
Date: Fri, 2 Aug 2019 16:25:57 -0700
Subject: [PATCH 1/2] Add cross-origin headers to sep10

---
 ecosystem/sep-0010.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ecosystem/sep-0010.md b/ecosystem/sep-0010.md
index 29686f12d..27ee3a89b 100644
--- a/ecosystem/sep-0010.md
+++ b/ecosystem/sep-0010.md
@@ -41,6 +41,14 @@ A web service indicates that it supports user authentication via this protocol b
 * [`GET <WEB_AUTH_ENDPOINT>`](#challenge): request a challenge (step 1)
 * [`POST <WEB_AUTH_ENDPOINT>`](#token): exchange a signed challenge for session JWT (step 2)
 
+## Cross-Origin Headers
+
+Valid CORS headers are necessary to allow web clients from other sites to use the endpoints. The following HTTP header must be set for all transfer server responses, including error responses.
+
+```
+Access-Control-Allow-Origin: *
+```
+
 ### Challenge
 
 This endpoint must respond with a Stellar transaction signed by the server that has an invalid sequence number (0) and thus cannot be executed on the Stellar network. The client can then sign the transaction using standard Stellar libraries and submit it to [`token`](#token) endpoint to prove that they control their account. This approach is compatible with hardware wallets such as Ledger. The client can also verify the server's signature to be sure the challenge is signed by the `SIGNING_KEY` from the server's [`stellar.toml`](sep-0001.md).

From 52febd29ca26346cf5283d0049ca907da12afc30 Mon Sep 17 00:00:00 2001
From: Michael Feldstein <msfeldstein@gmail.com>
Date: Fri, 2 Aug 2019 16:27:02 -0700
Subject: [PATCH 2/2] Correct wording for cross-origin message

---
 ecosystem/sep-0010.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ecosystem/sep-0010.md b/ecosystem/sep-0010.md
index 27ee3a89b..b410f4298 100644
--- a/ecosystem/sep-0010.md
+++ b/ecosystem/sep-0010.md
@@ -43,7 +43,7 @@ A web service indicates that it supports user authentication via this protocol b
 
 ## Cross-Origin Headers
 
-Valid CORS headers are necessary to allow web clients from other sites to use the endpoints. The following HTTP header must be set for all transfer server responses, including error responses.
+Valid CORS headers are necessary to allow web clients from other sites to use the endpoints. The following HTTP header must be set for all authentication endpoints, including error responses.
 
 ```
 Access-Control-Allow-Origin: *