Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cors_allowed_headers option to confighttp #2454

Merged
merged 3 commits into from
Feb 22, 2021

Conversation

pmm-sumo
Copy link
Contributor

@pmm-sumo pmm-sumo commented Feb 10, 2021

Description:
Fixes #1383 by exposing ability to set CORS Allowed Headers

Link to tracking Issue: #1383

Testing: Config unit tests updated, manual tests performed with requests sent from browser via OpenTelemetry-JS to another domain (where the collector was residing)

Documentation: Description of the newly added option added

@codecov
Copy link

codecov bot commented Feb 10, 2021

Codecov Report

Merging #2454 (fc414ee) into main (9de6dd7) will not change coverage.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #2454   +/-   ##
=======================================
  Coverage   91.76%   91.76%           
=======================================
  Files         265      265           
  Lines       15111    15111           
=======================================
  Hits        13867    13867           
  Misses        866      866           
  Partials      378      378           
Impacted Files Coverage Δ
config/confighttp/confighttp.go 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9de6dd7...fc414ee. Read the comment docs.

@pmm-sumo pmm-sumo marked this pull request as ready for review February 10, 2021 09:59
@pmm-sumo pmm-sumo requested a review from a team February 10, 2021 09:59
@pmm-sumo
Copy link
Contributor Author

Thank you @keitwb I adjusted the code accordingly, provided more details in doc and included few more test-cases

Copy link
Contributor

@keitwb keitwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Thanks for adding this.

@keitwb
Copy link
Contributor

keitwb commented Feb 11, 2021

@tigrannajaryan can you take a look as well?

Comment on lines 117 to +123
CorsOrigins []string `mapstructure:"cors_allowed_origins"`

// CorsHeaders are the allowed CORS headers for HTTP/JSON requests to grpc-gateway adapter
// for the OTLP receiver. See github.com/rs/cors
// CORS needs to be enabled first by providing a non-empty list in CorsOrigins
// A wildcard (*) can be used to match any header.
CorsHeaders []string `mapstructure:"cors_allowed_headers"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In an ideal world, would you have allowed headers per origin?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Asking because we still have an opportunity to fix this before GA, so I would like to not just add things now and have to cleanup in 2 months :)

Maybe we can get this right now and deprecate the old way.

Copy link
Contributor Author

@pmm-sumo pmm-sumo Feb 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question. I think we are largely relying on rs/cors model here, which does not seem to provide such capability. At the same time, something like this can be also achieved with separate receivers (though they would need different ports, so not ideal, but when used via reverse proxy maybe not so bad either). @keitwb @kkruk-sumo - what do you think?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pmm-sumo based on your experience what is the more common case:

  • Having same headers per multiple origins?
  • Having special headers per each origin?

Based on this we can optimize for one case or the other :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, I don't have much experience with CORS. My impression is that within a single deployment, origins can be quite similar to each other so they could share the set of headers (so option 1). But would be great to check with someone more experienced, hence the call to @keitwb and @kkruk-sumo :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I doubt many people will want special headers per origin for a single instance of a CORS enabled receiver. That seems overly complicated for the config and you can just make multiple receiver instances with separate ports if you really wanted such a thing.

config/confighttp/confighttp.go Outdated Show resolved Hide resolved
The capability is out of scope of the PR
This was referenced Mar 15, 2021
hughesjj pushed a commit to hughesjj/opentelemetry-collector that referenced this pull request Apr 27, 2023
…metry#2454)

Bumps [github.com/jaegertracing/jaeger](https://github.com/jaegertracing/jaeger) from 1.40.0 to 1.41.0.
- [Release notes](https://github.com/jaegertracing/jaeger/releases)
- [Changelog](https://github.com/jaegertracing/jaeger/blob/main/CHANGELOG.md)
- [Commits](jaegertracing/jaeger@v1.40.0...v1.41.0)

---
updated-dependencies:
- dependency-name: github.com/jaegertracing/jaeger
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

cors_allowed_origins doesn't work for http
4 participants