I concur, the Location header is not *required* to be present in any response except for: newOrder (per the "->" in the table in Section 7.1), newAccount (per the same, and the text in Section 7.3), and newAuthorization (per the text in Section 7.4.1). I disagree with the analysis in the linked pull requests, but personally have no objection to the fact that we provide this header in more responses than is strictly required.
Notably, the Location header is only supposed to be served <https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Location> alongside 3XX redirects and 201 Created responses, so it is arguably *incorrect* for us to provide it in Finalize responses. But at this point I'm sure someone relies on it (per Hyrum's law) and so I think it is unlikely we will remove it. Aaron On Mon, Jul 28, 2025 at 2:19 AM Q Misell <[email protected]> wrote: > I would consider sec. 7.1 to be the normative definition of Location > header inclusion, and it doesn't mention it for finalize. > > Ar Gwen, 25 Gorff 2025 am 19:39 Ben Burkert <[email protected]> > ysgrifennodd: > >> Is a 'Location' header required to be in the response to a finalize >> order request? Section 7.4 of RFC 8555 makes no mention of the >> 'Location' header like section 7.3 for a new account response, but the >> example response at the end of Section 7.4 includes it. Likewise, there >> is no mention of it for new order responses but it is present in the >> example. >> >> Pebble[1] & Boulder[2] considers it to be in the spec, but some ACME >> providers (like Buypass.com) do not include the 'Location' in their >> finalize responses. It seems like it has to be a requirement for new >> order responses. But for finalize responses it's more of an optimization >> because the client should know the order location from the order >> creation response. >> >> Cheers, >> -Ben >> >> >> [1] https://github.com/letsencrypt/pebble/pull/85 >> [2] https://github.com/letsencrypt/boulder/pull/3336 >> >> _______________________________________________ >> Acme mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > _______________________________________________ > Acme mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
