Support for CORS headers on Let's Encrypt API endpoints


I was wondering if the Let’s Encrypt API endpoints ever implemented support for CORS headers (e.g. Access-Control-Allow-Origin)? A while back (2015) the request to add CORS support was accepted into both the ACME v1 spec and also by the Boulder developers and Boulder certainly has had activity since then for supporting CORS, but it looks like the current v1 and v2 endpoints for LE have it disabled?

Can someone confirm? And if so, was this done for security reasons?


CORS is working on ACME v2 for sure, since both ZeroSSL and a tool I wrote both rely on it.


Thank you! I realized I was tracing against the wrong base URL, yes confirmed the CORS headers are all there.