-
-
Notifications
You must be signed in to change notification settings - Fork 601
-
-
Notifications
You must be signed in to change notification settings - Fork 601
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content-Type restriction on http-01 is not enforced #1089
Comments
I do wonder if it's a good idea to enforce this, at least until ACME WG properly deliberates on the issues. See ietf-wg-acme/acme#9 |
I think we should not care at all. there should be done 2 checks at best for this: size (to prevent download of loverly large "misplaced" files and most obviously content, that are things that are static and cannot change without affecting the actual validation. |
Maybe it would also be an good idea if the client send an Accept header with its request. |
It seems the restriction on Content-Type has been removed from the spec (ietf-wg-acme/acme#40), however it seems the private beta server does require it... should we close this issue and create a new one for lifting the restriction? |
I think yes we should. |
Fixed. |
Per spec, the Content-Type for http-01 challenges must be either empty or text/plain. However, we do not currently enforce this in Boulder.
The text was updated successfully, but these errors were encountered: