diff --git a/lib/browserid/http_forward.js b/lib/browserid/http_forward.js
index 61f431f5d40fd9f7f0d4e833894278d9ab2c7621..3eec38ed9b127280b6ed2a39f892e8930f7c095a 100644
--- a/lib/browserid/http_forward.js
+++ b/lib/browserid/http_forward.js
@@ -16,10 +16,14 @@ module.exports = function(dest, req, res, cb) {
     path: u.pathname,
     method: req.method
   }, function(pres) {
-    res.writeHead(
-      pres.statusCode,
-      pres.headers
-    );
+    var hdrs = {};
+    [ 'access-control-allow-origin', 'content-type', 'content-length' ].forEach(function(key) {
+      if (pres.headers.hasOwnProperty(key)) {
+        hdrs[key] = pres.headers[key];
+      }
+    });
+    res.writeHead(pres.statusCode, hdrs);
+
     pres.on('data', function (chunk) {
       res.write(chunk);
     }).on('end', function() {
diff --git a/lib/browserid/wsapi.js b/lib/browserid/wsapi.js
index e6be9ea80e1bf2c0a1aad28daa6b4518d496378c..0e94ed046b26e9c2159af0bf6b5f7d6a4535edfb 100644
--- a/lib/browserid/wsapi.js
+++ b/lib/browserid/wsapi.js
@@ -420,26 +420,6 @@ function setup(app) {
   });
 
   app.post('/wsapi/cert_key', checkAuthed, validate(["email", "pubkey"]), function(req, res) {
-    db.emailsBelongToSameAccount(req.session.authenticatedUser, req.body.email, function(sameAccount) {
-      // not same account? big fat error
-      if (!sameAccount) return httputils.badRequest(res, "that email does not belong to you");
-
-      // parse the pubkey
-      var pk = ca.parsePublicKey(req.body.pubkey);
-
-      // same account, we certify the key
-      // we certify it for a day for now
-      var expiration = new Date();
-      expiration.setTime(new Date().valueOf() + config.get('certificate_validity_ms'));
-      var cert = ca.certify(req.body.email, pk, expiration);
-
-      res.writeHead(200, {'Content-Type': 'text/plain'});
-      res.write(cert);
-      res.end();
-    });
-
-/* code to bounce the cert off of a proper keysigner (issue #460)
-
     db.emailsBelongToSameAccount(req.session.authenticatedUser, req.body.email, function(sameAccount) {
       // not same account? big fat error
       if (!sameAccount) return httputils.badRequest(res, "that email does not belong to you");
@@ -453,7 +433,6 @@ function setup(app) {
         }
       });
     });
-*/
   });
 
   app.post('/wsapi/logout', function(req, resp) {