Open ahayworth opened 1 year ago
@ahayworth if you'd like to open a PR to fix the behaviour, I believe #2 is the correct way to proceed
Fantastic, I'll take that approach. I still intend to fix it (likely tonight or tomorrow night), I just haven't been able to squeeze in a few minutes to write any code in the past few days. π
Describe the bug The documentation around CORS
allowed_headers
for the otlpreceiver and confighttp are unintentionally misleading. The language implies that headers listed here will be allowed in addition to the default safelist; but the actual behavior is to replace the default safelist (except forOrigin
).You can see this behavior in the upstream CORS code that we rely on.
Steps to reproduce
allowed_headers
to anything you'd like.What did you expect to see? I expected to see requests succeeding. π
What did you see instead? I saw all requests failing. π
What version did you use? Version:
v0.61.0
, but this is not necessarily version-dependentWhat config did you use? Config:
(NB: the astute observer will note that we didn't need to set this option. We ... are now also aware of this fact π )
Environment OS: π€« I don't think I am allowed to say π€« Compiler(if manually compiled):
go 1.19
Additional context
I believe this can be addressed in one of two ways:
allowed_headers
option.I'm happy to make either fix: please just let me know which one the maintainers would prefer.