Allow custom headers to be returned as part of pre-flight requests

core/src/main/resources/reference.conf

@@ -52,6 +52,7 @@
 
   cors {
     accessControlMaxAge = 60 minutes 
+    allowedCorsHeaders = ["X-Example"]
   }
 
   streams {

core/src/main/scala/com.snowplowanalytics.snowplow.collector.core/Config.scala

@@ -95,7 +95,8 @@ object Config {
   )
 
   case class CORS(
-    accessControlMaxAge: FiniteDuration
+    accessControlMaxAge: FiniteDuration,
+    allowedCorsHeaders: List[String]
   )
 
   case class Streams[+SinkConfig](

core/src/main/scala/com.snowplowanalytics.snowplow.collector.core/Service.scala

@@ -17,6 +17,7 @@ import org.apache.commons.codec.binary.Base64
 import scala.concurrent.duration._
 import scala.jdk.CollectionConverters._
 
+import cats.data.NonEmptyList
 import cats.effect.{Clock, Sync}
 import cats.implicits._
 
@@ -139,11 +140,13 @@ class Service[F[_]: Sync](
   }
 
   override def preflightResponse(req: Request[F]): F[Response[F]] = Sync[F].pure {
+    val allowedHeaders = (List("Content-Type", "SP-Anonymous") ++ config.cors.allowedCorsHeaders).map(CIString(_))
+    val corsHeaders    = NonEmptyList.fromListUnsafe(allowedHeaders)
     Response[F](
       headers = Headers(
         accessControlAllowOriginHeader(req),
         `Access-Control-Allow-Credentials`(),
-        `Access-Control-Allow-Headers`(ci"Content-Type", ci"SP-Anonymous"),
+        `Access-Control-Allow-Headers`(corsHeaders),
         `Access-Control-Max-Age`.Cache(config.cors.accessControlMaxAge.toSeconds).asInstanceOf[`Access-Control-Max-Age`]
       )
     )

core/src/test/scala/com.snowplowanalytics.snowplow.collector.core/ServiceSpec.scala

@@ -415,7 +415,7 @@ class ServiceSpec extends Specification {
         val expected = Headers(
           Header.Raw(ci"Access-Control-Allow-Origin", "*"),
           `Access-Control-Allow-Credentials`(),
-          `Access-Control-Allow-Headers`(ci"Content-Type", ci"SP-Anonymous"),
+          `Access-Control-Allow-Headers`(ci"Content-Type", ci"SP-Anonymous", ci"X-Howdy"),
           `Access-Control-Max-Age`.Cache(3600).asInstanceOf[`Access-Control-Max-Age`]
         )
         service.preflightResponse(Request[IO]()).unsafeRunSync().headers shouldEqual expected

core/src/test/scala/com.snowplowanalytics.snowplow.collector.core/TestUtils.scala

@@ -74,7 +74,7 @@ object TestUtils {
       Map.empty[String, String],
       ""
     ),
-    cors = CORS(60.minutes),
+    cors = CORS(60.minutes, List("X-Howdy")),
     streams = Streams(
       good = SinkConfig(
         name = "raw",

examples/config.kafka.extended.hocon

@@ -168,6 +168,9 @@ collector {
     # The Access-Control-Max-Age response header indicates how long the results of a preflight
     # request can be cached. -1 seconds disables the cache. Chromium max is 10m, Firefox is 24h.
     accessControlMaxAge = 60 minutes
+    # The allowedCorsHeaders response header allows non-safelisted CORS headers to be returned
+    # as part of OPTIONS (preflight) requests
+    allowedCorsHeaders = ["X-Example"]
   }
 
   streams {

examples/config.kinesis.extended.hocon

@@ -168,6 +168,9 @@ collector {
     # The Access-Control-Max-Age response header indicates how long the results of a preflight
     # request can be cached. -1 seconds disables the cache. Chromium max is 10m, Firefox is 24h.
     accessControlMaxAge = 60 minutes
+    # The allowedCorsHeaders response header allows non-safelisted CORS headers to be returned
+    # as part of OPTIONS (preflight) requests
+    allowedCorsHeaders = ["X-Example"]
   }
 
   streams {

examples/config.nsq.extended.hocon

@@ -168,6 +168,9 @@ collector {
     # The Access-Control-Max-Age response header indicates how long the results of a preflight
     # request can be cached. -1 seconds disables the cache. Chromium max is 10m, Firefox is 24h.
     accessControlMaxAge = 60 minutes
+    # The allowedCorsHeaders response header allows non-safelisted CORS headers to be returned
+    # as part of OPTIONS (preflight) requests
+    allowedCorsHeaders = ["X-Example"]
   }
 
   streams {

examples/config.pubsub.extended.hocon

@@ -168,6 +168,9 @@ collector {
     # The Access-Control-Max-Age response header indicates how long the results of a preflight
     # request can be cached. -1 seconds disables the cache. Chromium max is 10m, Firefox is 24h.
     accessControlMaxAge = 60 minutes
+    # The allowedCorsHeaders response header allows non-safelisted CORS headers to be returned
+    # as part of OPTIONS (preflight) requests
+    allowedCorsHeaders = ["X-Example"]
   }
 
   streams {

examples/config.sqs.extended.hocon

@@ -159,6 +159,9 @@ collector {
     # The Access-Control-Max-Age response header indicates how long the results of a preflight
     # request can be cached. -1 seconds disables the cache. Chromium max is 10m, Firefox is 24h.
     accessControlMaxAge = 60 minutes
+    # The allowedCorsHeaders response header allows non-safelisted CORS headers to be returned
+    # as part of OPTIONS (preflight) requests
+    allowedCorsHeaders = ["X-Example"]
   }
 
   streams {

examples/config.stdout.extended.hocon

@@ -168,6 +168,9 @@ collector {
     # The Access-Control-Max-Age response header indicates how long the results of a preflight
     # request can be cached. -1 seconds disables the cache. Chromium max is 10m, Firefox is 24h.
     accessControlMaxAge = 60 minutes
+    # The allowedCorsHeaders response header allows non-safelisted CORS headers to be returned
+    # as part of OPTIONS (preflight) requests
+    allowedCorsHeaders = ["X-Example"]
   }
 
   streams {

kafka/src/test/scala/com.snowplowanalytics.snowplow.collectors.scalastream/KafkaConfigSpec.scala

@@ -101,7 +101,7 @@ object KafkaConfigSpec {
       headers    = Map.empty[String, String],
       body       = ""
     ),
-    cors = Config.CORS(1.hour),
+    cors = Config.CORS(1.hour, List("X-Howdy")),
     monitoring = Config.Monitoring(
       Config.Metrics(
         Config.Statsd(false, "localhost", 8125, 10.seconds, "snowplow.collector", Map.empty)

kinesis/src/test/scala/com.snowplowanalytics.snowplow.collectors.scalastream/sinks/KinesisConfigSpec.scala

@@ -111,7 +111,7 @@ object KinesisConfigSpec {
       headers    = Map.empty[String, String],
       body       = ""
     ),
-    cors = Config.CORS(1.hour),
+    cors = Config.CORS(1.hour, List("X-Howdy")),
     monitoring = Config.Monitoring(
       Config.Metrics(
         Config.Statsd(false, "localhost", 8125, 10.seconds, "snowplow.collector", Map.empty)

nsq/src/test/scala/com.snowplowanalytics.snowplow.collectors.scalastream/NsqConfigSpec.scala

@@ -100,7 +100,7 @@ object NsqConfigSpec {
       headers    = Map.empty[String, String],
       body       = ""
     ),
-    cors = Config.CORS(1.hour),
+    cors = Config.CORS(1.hour, List("X-Howdy")),
     monitoring = Config.Monitoring(
       Config.Metrics(
         Config.Statsd(false, "localhost", 8125, 10.seconds, "snowplow.collector", Map.empty)

pubsub/src/test/scala/com.snowplowanalytics.snowplow.collectors.scalastream/ConfigSpec.scala

@@ -100,7 +100,7 @@ object ConfigSpec {
       headers    = Map.empty[String, String],
       body       = ""
     ),
-    cors = Config.CORS(1.hour),
+    cors = Config.CORS(1.hour, List("X-Howdy")),
     monitoring = Config.Monitoring(
       Config.Metrics(
         Config.Statsd(false, "localhost", 8125, 10.seconds, "snowplow.collector", Map.empty)

sqs/src/test/scala/com.snowplowanalytics.snowplow.collectors.scalastream/SqsConfigSpec.scala

@@ -101,7 +101,7 @@ object SqsConfigSpec {
       headers    = Map.empty[String, String],
       body       = ""
     ),
-    cors = Config.CORS(1.hour),
+    cors = Config.CORS(1.hour, List("X-Howdy")),
     monitoring = Config.Monitoring(
       Config.Metrics(
         Config.Statsd(false, "localhost", 8125, 10.seconds, "snowplow.collector", Map.empty)