Could you unlock CORS policy for acme API so it can be used in web-based clients?
When I asked include for useing buypass CA in Zerossl.com, he said he can't do that due to CORS policy of buypass API.
Looks like their API is restricted via CORS (in a way that you can’t pull their API endpoint in the browser from anything but their own site basically):
Access-Control-Allow-Origin’ does not match ‘https://www.buypass.no’
Unless they change that, it won’t be possible to add it to the online client.
But web based client is where longer lifetime of buypass offers shines most, because clients isn't likely to automate renewal. And this API is public one, so I don't think there is reason for block web based clients for it.
5 replies
-
You can use acme.sh ,,,, it runs even if you don't have SSH access
-
It looks like there was never an answer to the question asked there about CORS, so perhaps someone on Buypass side could comment - are there any plans to relax CORS (whether to * or to specific origins)? Otherwise it is not possible to create a purely in-browser client.
-
Will we have any relaxation for CORS?
Not a bump, but it would be cool -
We are currently analyzing the consequences for unlocking CORS in our ACME solution, both with respect to general security aspects and also in terms of a planned change in our business model. We will provide some more information during the next weeks.
-
We have decided to not unlock the CORS policy now. We may change this when introducing a new business model later this year.
Sorry for the extremely late response..