fix faro.receiver cors not allowing x-scope-orgid, traceparent headers (#4051)

* fix faro.receiver cors not allowing x-scope-orgid, traceparent headers

* sort values listed in Access-Control-Request-Headers header in test

* fix faro.receiver readme to include allowed headers list

* Update docs/sources/reference/components/faro/faro.receiver.md

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>

---------

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>

Author: mar4uk

CHANGELOG.md

@@ -61,6 +61,8 @@ Main (unreleased)
 
 - Fixed a bug in `prometheus.write.queue` which caused retries even when `max_retry_attempts` was set to `0`. (@ptodev)
 
+- Fix issue with `faro.receiver` cors not allowing X-Scope-OrgID and traceparent headers. (@mar4uk)
+
 v1.10.0
 -----------------
 

docs/sources/reference/components/faro/faro.receiver.md

@@ -105,6 +105,8 @@ The default value, `[]`, disables CORS support.
 To support requests from all origins, set `cors_allowed_origins` to `["*"]`.
 The `*` character indicates a wildcard.
 
+You can use the following headers for cross-domain requests: `Content-Type`, `Traceparent`, `X-API-Key`, `X-Faro-Session-Id`, or `X-Scope-OrgID`.
+
 When the `api_key` argument is non-empty, client requests must have an HTTP header called `X-API-Key` matching the value of the `api_key` argument.
 Requests that are missing the header or have the wrong value are rejected with an `HTTP 401 Unauthorized` status code.
 If the `api_key` argument is empty, no authentication checks are performed, and the `X-API-Key` HTTP header is ignored.

internal/component/faro/receiver/handler.go

@@ -19,6 +19,8 @@ import (
 
 const apiKeyHeader = "x-api-key"
 
+var defaultAllowedHeaders = []string{"content-type", "traceparent", apiKeyHeader, "x-faro-session-id", "x-scope-orgid"}
+
 type handler struct {
 	log         log.Logger
 	rateLimiter *rate.Limiter
@@ -71,7 +73,7 @@ func (h *handler) Update(args ServerArguments) {
 	if len(args.CORSAllowedOrigins) > 0 {
 		h.cors = cors.New(cors.Options{
 			AllowedOrigins: args.CORSAllowedOrigins,
-			AllowedHeaders: []string{apiKeyHeader, "content-type", "x-faro-session-id"},
+			AllowedHeaders: defaultAllowedHeaders,
 		})
 	} else {
 		h.cors = nil // Disable cors.

internal/component/faro/receiver/handler_test.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"net/http"
 	"net/http/httptest"
+	"sort"
 	"strings"
 	"testing"
 
@@ -227,6 +228,86 @@ func TestValidAPIKey(t *testing.T) {
 	require.Len(t, exporter2.payloads, 1)
 }
 
+func TestCORSPreflightWithDisallowedHeader(t *testing.T) {
+	var (
+		exporter1 = &testExporter{"exporter1", false, nil}
+		exporter2 = &testExporter{"exporter2", false, nil}
+
+		h = newHandler(
+			util.TestLogger(t),
+			prometheus.NewRegistry(),
+			[]exporter{exporter1, exporter2},
+		)
+	)
+
+	h.Update(ServerArguments{
+		CORSAllowedOrigins: []string{
+			"https://example.com",
+		},
+	})
+
+	// Test preflight request with disallowed header
+	req, err := http.NewRequest(http.MethodOptions, "/collect", nil)
+	require.NoError(t, err)
+	req.Header.Set("Origin", "https://example.com")
+	req.Header.Set("Access-Control-Request-Method", "POST")
+	req.Header.Set("Access-Control-Request-Headers", "x-custom-header")
+
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, req)
+
+	// The preflight should succeed (204), but x-custom-header should NOT be in allowed headers
+	require.Equal(t, http.StatusNoContent, rr.Result().StatusCode)
+	allowedHeaders := rr.Header().Get("Access-Control-Allow-Headers")
+
+	// When requesting a disallowed header, CORS returns empty Access-Control-Allow-Headers
+	// This effectively tells the browser that no custom headers are allowed
+	require.Equal(t, "", allowedHeaders, "CORS should return empty allowed headers when disallowed header is requested")
+}
+
+func TestCORSPreflightWithAllowedHeader(t *testing.T) {
+	var (
+		exporter1 = &testExporter{"exporter1", false, nil}
+		exporter2 = &testExporter{"exporter2", false, nil}
+
+		h = newHandler(
+			util.TestLogger(t),
+			prometheus.NewRegistry(),
+			[]exporter{exporter1, exporter2},
+		)
+	)
+
+	h.Update(ServerArguments{
+		CORSAllowedOrigins: []string{
+			"https://example.com",
+		},
+	})
+
+	// Test preflight request with allowed headers
+	req, err := http.NewRequest(http.MethodOptions, "/collect", nil)
+	require.NoError(t, err)
+	req.Header.Set("Origin", "https://example.com")
+	req.Header.Set("Access-Control-Request-Method", "POST")
+
+	sortedHeaders := make([]string, 0, len(defaultAllowedHeaders))
+	sortedHeaders = append(sortedHeaders, defaultAllowedHeaders...)
+	sort.Strings(sortedHeaders)
+	// Library github.com/rs/cors expects values listed in Access-Control-Request-Headers header
+	// are unique and sorted;
+	// see https://github.com/rs/cors/blob/1084d89a16921942356d1c831fbe523426cf836e/cors.go#L115-L120
+	req.Header.Set("Access-Control-Request-Headers", strings.Join(sortedHeaders, ","))
+
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, req)
+
+	// The preflight should succeed and include the requested headers
+	require.Equal(t, http.StatusNoContent, rr.Result().StatusCode)
+	allowedHeaders := rr.Header().Get("Access-Control-Allow-Headers")
+	for _, allowed := range defaultAllowedHeaders {
+		require.Contains(t, allowedHeaders, allowed)
+	}
+}
+
 func TestRateLimiter(t *testing.T) {
 	var (
 		exporter1 = &testExporter{"exporter1", false, nil}