From 611272e251cc25c408f79a2cb33e4425aba309bf Mon Sep 17 00:00:00 2001
From: Anthony Accioly <1591739+aaccioly@users.noreply.github.com>
Date: Wed, 4 Jun 2025 21:37:13 +0100
Subject: [PATCH] Enhance proxying and redirection specification for blob
 retrieval

---
 buds/01.md | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/buds/01.md b/buds/01.md
index f45d497..657b6ba 100644
--- a/buds/01.md
+++ b/buds/01.md
@@ -82,8 +82,22 @@ The endpoint MUST accept an optional file extension in the URL. ie. `.pdf`, `.pn
 Regardless of the file extension, the server MUST return the MIME type of the blob in the `Content-Type` header. If the
 server does not know the MIME type of the blob, it MUST default to `application/octet-stream`
 
-If the endpoint returns a `301` or `302` redirect it MUST redirect to a URL containing the same sha256 hash as the requested blob.
-This ensures that if a user was to copy or reuse the redirect URL it would still contain the original sha256 hash
+### Proxying and Redirection (Optional)
+
+If the endpoint returns a redirection 3xx status code such as 307 or 308 ([RFC 9110 section
+15.4](https://datatracker.ietf.org/doc/html/rfc9110#name-redirection-3xx)), it MUST redirect to a URL containing the
+same sha256 hash as the requested blob. This ensures that if a user copies or reuses the redirect URL, it will still
+contain the original sha56 hash.
+
+While the final blob may not be served from a Blossom server (e.g. CDN, IPFS, object storage, etc.), the destination
+server MUST set the `Access-Control-Allow-Origin: *` header on the response to allow cross-origin requests, as well as
+the `Content-Type` and `Content-Length` headers to ensure the blob can be correctly displayed by clients. Two ways to
+guarantee this are:
+
+1. Proxying the blob through the Blossom server, allowing it to override headers such as `Content-Type`.
+2. Manipulating the redirect URL to include a file extension that matches the blob type, such as `.pdf`, `.png`, etc. If
+the server is unable to determine the MIME type of the blob, it MUST default to `application/octet-stream` and MAY
+include a file extension in the URL that reflects the blob type (e.g. `.bin`, `.dat`, etc.).
 
 ### Get Authorization (optional)