ots: send /digest as text/plain to skip CORS preflight

hans-crypto · hans-crypto · commit ce34e1d94c55 · 2026-05-09T15:42:24.000+02:00
application/vnd.opentimestamps.v1 is not a CORS-safelisted Content-Type,
so the browser preflights every /digest POST with OPTIONS. The public
OTS calendars (alice/bob/finney) 404 the OPTIONS request -- they
implement only the protocol verbs, not OPTIONS -- so the actual POST
never goes through. Verified live with curl: alice's POST response
sets access-control-allow-origin: *, so a non-preflighted request
gets through cleanly. Calendars don't validate Content-Type, they
read the body bytes directly.
diff --git a/frontend/src/app/components/_ordpool/ots-stamp-verify/ots-stamp-verify.component.ts b/frontend/src/app/components/_ordpool/ots-stamp-verify/ots-stamp-verify.component.ts
@@ -204,9 +204,14 @@ export class OtsStampVerifyComponent {
   }
 
   private async postDigestToCalendar(uri: string, digest: Uint8Array): Promise<Uint8Array> {
+    // text/plain is a CORS-safelisted content type, so no preflight is sent.
+    // The OTS calendars don't validate Content-Type, they only read the body.
+    // If we send 'application/vnd.opentimestamps.v1' (the protocol-canonical
+    // value) the browser preflights with OPTIONS, the calendars 404 the
+    // OPTIONS, and the POST never happens. Verified live against alice.
     const resp = await fetch(uri + '/digest', {
       method: 'POST',
-      headers: { 'Content-Type': 'application/vnd.opentimestamps.v1' },
+      headers: { 'Content-Type': 'text/plain' },
       body: digest as BufferSource,
     });
     if (!resp.ok) throw new Error(uri + ' replied ' + resp.status);
