cors_allowed_origins doesn't work for http

[obecny]

Describe the bug
Created a configuration like here for localhost
https://github.com/open-telemetry/opentelemetry-collector/tree/master/receiver/otlpreceiver#writing-with-httpjson
But still cors doesn't work in browser

What did you expect to see?
I expected to see at least something like this

HTTP/1.1 204 No Content
X-Powered-By: Express
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Vary: Access-Control-Request-Headers
Access-Control-Allow-Headers: x-opentelemetry-outgoing-request
Content-Length: 0
Date: Thu, 16 Jul 2020 20:02:20 GMT
Connection: keep-alive

Also Access-Control-Allow-Headers should contain all requested headers -

What did you see instead?
In OPTIONS response I see this

HTTP/1.1 200 OK
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Date: Thu, 16 Jul 2020 20:07:24 GMT
Content-Length: 0

And cors doesn't work

What version did you use?
latest 0.6.0

What config did you use?

receivers:
  otlp:
    protocols:
      grpc:
      http:
        cors_allowed_origins:
        - http://localhost:8090

Environment
osx, docker
Additional context
Page is served on
http://localhost:8090/user-interaction/

I tried all different variations for cors_allowed_origins as well none of it worked
for example

        - http://localhost:55681
        - localhost:55681
        - http://localhost:8090
        - localhost:8090
        - http://localhost:8090/user-interaction
        - http://localhost:8090/user-interaction/
        - http://localhost
        - localhost
        - localhost:8090
        - 0.0.0.0
        - 0.0.0.0:8090
        - 127.0.0.1
        - 127.0.0.1:8090
        - http://0.0.0.0
        - http://0.0.0.0:8090
        - http://127.0.0.1
        - http://127.0.0.1:8090
        - http://*

[obecny]

I saw a response but I think it was deleted anyway if you ask if I tried https Yes I did with all different combinations, it doesn't work :)

[bogdandrutu]

That's exactly what I was asking then deleted because I thought that you did it :).

Do you have a small sniper maybe an HTTP request example that you use so I have a starting point?

[obecny]

<!DOCTYPE html>
<html lang="en">

<head>
  <meta charset="utf-8">
  <title>Test</title>
  <base href="/">

  <meta name="viewport" content="width=device-width, initial-scale=1">
</head>

<body>
<script>
  var data = {"resourceSpans":[{"resource":{"attributes":[{"key":"service.name","value":{"stringValue":"collector-exporter"}},{"key":"telemetry.sdk.language","value":{"stringValue":"webjs"}},{"key":"telemetry.sdk.name","value":{"stringValue":"opentelemetry"}},{"key":"telemetry.sdk.version","value":{"stringValue":"0.9.0"}}],"droppedAttributesCount":0},"instrumentationLibrarySpans":[{"spans":[{"traceId":"82aM5qlmM2GXhPIgTpeezw==","spanId":"ZIvE5GGHiMA=","parentSpanId":"miAnDEOm3mo=","name":"https://httpbin.org/get?a=1","kind":3,"startTimeUnixNano":1595294626768124000,"endTimeUnixNano":1595294627427758800,"attributes":[{"key":"http.method","value":{"stringValue":"GET"}},{"key":"http.url","value":{"stringValue":"https://httpbin.org/get?a=1"}},{"key":"http.status_code","value":{"doubleValue":200}},{"key":"http.status_text","value":{"stringValue":"OK"}},{"key":"http.host","value":{"stringValue":"httpbin.org"}},{"key":"http.scheme","value":{"stringValue":"https"}},{"key":"http.user_agent","value":{"stringValue":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"}}],"droppedAttributesCount":0,"events":[{"timeUnixNano":1595294626768159000,"name":"open","attributes":[],"droppedAttributesCount":0},{"timeUnixNano":1595294626768248800,"name":"send","attributes":[],"droppedAttributesCount":0},{"timeUnixNano":1595294626769443800,"name":"fetchStart","attributes":[],"droppedAttributesCount":0},{"timeUnixNano":1595294627426719000,"name":"responseEnd","attributes":[],"droppedAttributesCount":0},{"timeUnixNano":1595294627427758800,"name":"loaded","attributes":[],"droppedAttributesCount":0}],"droppedEventsCount":0,"status":{"code":0},"links":[],"droppedLinksCount":0}],"instrumentationLibrary":{"name":"@opentelemetry/plugin-xml-http-request","version":"0.9.0"}}]}]};
  var xhr = new XMLHttpRequest();
  xhr.open('POST', 'http://localhost:55681/v1/trace');
  xhr.setRequestHeader('Accept', 'application/json');
  xhr.setRequestHeader('Content-Type', 'application/json');
  xhr.setRequestHeader('my-own-header', '1');
  xhr.send(JSON.stringify(data));

  xhr.onreadystatechange = () => {
    if (xhr.readyState === XMLHttpRequest.DONE) {
      if (xhr.status >= 200 && xhr.status <= 299) {
        console.log('xhr success');
      } else {
        console.log('xhr error', xhr.status, xhr.responseText);
      }
    }
  };
</script>
</body>

</html>

[obecny]

Just wanted to ask if there is anything that is missing yet from my side ?

[keitwb]

@obecny I tested your HTML page and the problem seems to lie in the additional header you set (my-own-header). This causes the preflight request to have the header Access-Control-Request-Headers: content-type,my-own-header, which then causes the CORS logic in the Collector to reject the origin as invalid and prevent the expected Access-Control-Allow* headers from showing up in the response.

Right now there is no way that I see to allow extra headers without adding more logic to the OTLP receiver. Can you give some more info on your use case to see how generally useful it would be?

[pmm-sumo]

We hit the same problem. I think what happens is that CORS AllowedHeaders needs to be exposed in confighttp and used around here: confighttp.go#L158

[pmm-sumo]

@obecny with setting cors_allowed_headers(even to * or so) via #2454 the problem seems to be gone for our use case