Allow custom headers to be returned as part of pre-flight requests #423

miike · 2024-04-17T06:44:52Z

Certain services (e.g., Datadog) have a requirement for adding non CORS-safelisted headers to network requests in order to record tracing information for later reporting.

Currently requests which included non-safelisted headers error out when performing the pre-flight OPTIONS request. This adds the ability to specify a custom list (in addition to the default headers) that are returned as part of the Access-Control-Allow-Headers response.

Context: https://discourse.snowplow.io/t/access-to-xmlhttprequest-has-been-blocked-by-cors-policy-request-header-field-traceparent-is-not-allowed-by-access-control-allow-headers-in-preflight-response/9922/3

istreeter · 2024-04-17T10:01:38Z

core/src/main/scala/com.snowplowanalytics.snowplow.collector.core/Service.scala

+    val allowedHeaders = (List("Content-Type", "SP-Anonymous") ++ config.cors.allowedCorsHeaders).map(CIString(_))
+    val corsHeaders    = NonEmptyList.fromListUnsafe(allowedHeaders)


Think we can remove the "unsafe" method. Which is harmless in this case, but stands out as worrisome when you see it in collector code.

val corsHeaders = NonEmptyList("Content-Type", "SP-Anonymous" :: config.cors.allowedCorsHeaders).map(CIString(_))

istreeter · 2024-04-17T10:02:44Z

core/src/main/resources/reference.conf

@@ -52,6 +52,7 @@

  cors {
    accessControlMaxAge = 60 minutes 
+    allowedCorsHeaders = ["X-Example"]


This file provides defaults for the app. So by adding "X-Example" here, it means all pipelines everywhere will respond with "X-Example" in the list of allowed headers.

Guessing that's probably not what you want?

stanch · 2024-04-17T10:23:48Z

core/src/main/scala/com.snowplowanalytics.snowplow.collector.core/Service.scala

@@ -139,11 +140,13 @@ class Service[F[_]: Sync](
  }

  override def preflightResponse(req: Request[F]): F[Response[F]] = Sync[F].pure {
+    val allowedHeaders = (List("Content-Type", "SP-Anonymous") ++ config.cors.allowedCorsHeaders).map(CIString(_))


What about just making Content-Type and SP-Anonymous a part of the allowedCorsHeaders setting? That would avoid rebuilding this list on every request. And actually allowedCorsHeaders is a misnomer if it does not include all allowed headers.

Do you mean as part of the config? My only concern would be if people remove this from a default config.

miike force-pushed the acah branch 2 times, most recently from 8d28487 to 2d7a3c8 Compare April 17, 2024 09:46

Allow custom headers to be returned as part of pre-flight requests

ea87ee6

miike force-pushed the acah branch from 2d7a3c8 to ea87ee6 Compare April 17, 2024 09:57

istreeter reviewed Apr 17, 2024

View reviewed changes

stanch reviewed Apr 17, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow custom headers to be returned as part of pre-flight requests #423

Allow custom headers to be returned as part of pre-flight requests #423

miike commented Apr 17, 2024

istreeter Apr 17, 2024

istreeter Apr 17, 2024

stanch Apr 17, 2024

miike Apr 18, 2024

		val allowedHeaders = (List("Content-Type", "SP-Anonymous") ++ config.cors.allowedCorsHeaders).map(CIString(_))
		val corsHeaders = NonEmptyList.fromListUnsafe(allowedHeaders)

Allow custom headers to be returned as part of pre-flight requests #423

Are you sure you want to change the base?

Allow custom headers to be returned as part of pre-flight requests #423

Conversation

miike commented Apr 17, 2024

istreeter Apr 17, 2024

Choose a reason for hiding this comment

istreeter Apr 17, 2024

Choose a reason for hiding this comment

stanch Apr 17, 2024

Choose a reason for hiding this comment

miike Apr 18, 2024

Choose a reason for hiding this comment