libbitcoin · evoskuil · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025
diff --git a/include/bitcoin/node/protocols/protocol_html.hpp b/include/bitcoin/node/protocols/protocol_html.hpp
@@ -52,11 +52,11 @@ class BCN_API protocol_html
         const network::http::method::get& request) NOEXCEPT override;
 
     /// Senders.
-    void send_file(const network::http::string_request& request,
+    void send_file(const network::http::request& request,
         network::http::file&& file, network::http::mime_type type) NOEXCEPT;
 
     /// Utilities.
-    bool is_allowed_origin(const std::string& origin,
+    bool is_allowed_origin(const network::http::fields& fields,
         size_t version) const NOEXCEPT;
     std::filesystem::path to_local_path(
         const std::string& target = "/") const NOEXCEPT;

diff --git a/src/protocols/protocol_explore.cpp b/src/protocols/protocol_explore.cpp
@@ -44,14 +44,14 @@ void protocol_explore::handle_receive_get(const code& ec,
         return;
 
     // Enforce http origin policy (requires configured hosts).
-    if (!is_allowed_origin((*request)[field::origin], request->version()))
+    if (!is_allowed_origin(*request, request->version()))
     {
         send_forbidden(*request);
         return;
     }
 
     // Enforce http host header (if any hosts are configured).
-    if (!is_allowed_host((*request)[field::host], request->version()))
+    if (!is_allowed_host(*request, request->version()))
     {
         send_bad_host(*request);
         return;

diff --git a/src/protocols/protocol_html.cpp b/src/protocols/protocol_html.cpp
@@ -43,14 +43,14 @@ void protocol_html::handle_receive_get(const code& ec,
         return;
 
     // Enforce http origin policy (requires configured hosts).
-    if (!is_allowed_origin((*request)[field::origin], request->version()))
+    if (!is_allowed_origin(*request, request->version()))
     {
         send_forbidden(*request);
         return;
     }
 
     // Enforce http host header (if any hosts are configured).
-    if (!is_allowed_host((*request)[field::host], request->version()))
+    if (!is_allowed_host(*request, request->version()))
     {
         send_bad_host(*request);
         return;
@@ -72,15 +72,15 @@ void protocol_html::handle_receive_get(const code& ec,
         return;
     }
 
-    const auto default_type = mime_type::application_octet;
+    const auto default_type = mime_type::application_octet_stream;
     send_file(*request, std::move(file), file_mime_type(path, default_type));
 }
 
 // Senders.
 // ----------------------------------------------------------------------------
 
-void protocol_html::send_file(const string_request& request,
-    file&& file, mime_type type) NOEXCEPT
+void protocol_html::send_file(const request& request, file&& file,
+    mime_type type) NOEXCEPT
 {
     BC_ASSERT_MSG(stranded(), "strand");
     BC_ASSERT_MSG(file.is_open(), "sending closed file handle");
@@ -98,13 +98,14 @@ void protocol_html::send_file(const string_request& request,
 // Utilities.
 // ----------------------------------------------------------------------------
 
-bool protocol_html::is_allowed_origin(const std::string& origin,
+bool protocol_html::is_allowed_origin(const fields& fields,
     size_t version) const NOEXCEPT
 {
     BC_ASSERT_MSG(stranded(), "strand");
 
     // Allow same-origin and no-origin requests.
     // Origin header field is not available until http 1.1.
+    const auto origin = fields[field::origin];
     if (origin.empty() || version < version_1_1)
         return true;