Content-Type restriction on http-01 is not enforced #1089
Comments
|
I do wonder if it's a good idea to enforce this, at least until ACME WG properly deliberates on the issues. See ietf-wg-acme/acme#9 |
|
I think we should not care at all. there should be done 2 checks at best for this: size (to prevent download of loverly large "misplaced" files and most obviously content, that are things that are static and cannot change without affecting the actual validation. |
|
Maybe it would also be an good idea if the client send an Accept header with its request. |
|
It seems the restriction on Content-Type has been removed from the spec (ietf-wg-acme/acme#40), however it seems the private beta server does require it... should we close this issue and create a new one for lifting the restriction? |
|
I think yes we should. |
|
Fixed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Per spec, the Content-Type for http-01 challenges must be either empty or text/plain. However, we do not currently enforce this in Boulder.
The text was updated successfully, but these errors were encountered: