draft mandatory
All pubkeys MUST be in hex format
Servers MUST set the Access-Control-Allow-Origin: * header on all responses to ensure compatibility with applications hosted on other domains.
For preflight (OPTIONS) requests,
servers MUST also set, at minimum, the Access-Control-Allow-Headers: Authorization, * and Access-Control-Allow-Methods: GET, HEAD, PUT, DELETE headers.
The header Access-Control-Max-Age: 86400 MAY be set to cache the results of a preflight request for 24 hours.
Every time a server sends an error response (HTTP status codes >=400), it MAY include a human-readable header X-Reason that can be displayed to the user.
All endpoints MUST be served from the root of the domain (eg. the /upload endpoint MUST be accessible from https://cdn.example.com/upload, etc). This allows clients to talk to servers interchangeably when uploading or retrieving blobs
The GET /<sha256> endpoint MUST return the contents of the blob in the response body. the Content-Type header SHOULD beset to the appropriate MIME-type
The endpoint MUST accept an optional file extension in the URL. ie. .pdf, .png, etc
Regardless of the file extension, the server MUST return the MIME type of the blob in the Content-Type header. If the
server does not know the MIME type of the blob, it MUST default to application/octet-stream
If the endpoint returns a redirection 3xx status code such as 307 or 308 (RFC 9110 section 15.4), it MUST redirect to a URL containing the same sha256 hash as the requested blob. This ensures that if a user copies or reuses the redirect URL, it will contain the original sha256 hash.
While the final blob may not be served from a Blossom server (e.g. CDN, IPFS, object storage, etc.), the destination
server MUST set the Access-Control-Allow-Origin: * header on the response to allow cross-origin requests, as well as
the Content-Type and Content-Length headers to ensure the blob can be correctly displayed by clients. Two ways to
guarantee this are:
- Proxying the blob through the Blossom server, allowing it to override headers such as
Content-Type. - Manipulating the redirect URL to include a file extension that matches the blob type, such as
.pdf,.png, etc. If the server is unable to determine the MIME type of the blob, it MUST default toapplication/octet-streamand MAY include a file extension in the URL that reflects the blob type (e.g..bin,.dat, etc.).
Servers MAY require authorization when retrieving blobs, as defined by BUD-11.
The HEAD /<sha256> endpoint SHOULD be identical to the GET /<sha256> endpoint except that it MUST NOT return the
blob in the reponse body per RFC 7231
The endpoint MUST respond with the same Content-Type and Content-Length headers as the GET /<sha256> endpoint.
The endpoint MUST accept an optional file extension in the URL similar to the GET /<sha256> endpoint. ie. .pdf, .png, etc
To better support mobile devices, video files, or low bandwidth connections. servers should support range requests (RFC 7233 section 3) on the GET /<sha256> endpoint and signal support using the accept-ranges: bytes and content-length headers on the HEAD /<sha256> endpoint
See MDN docs for more details