Specifying telemetry response header yields "Refused to get unsafe header"

Question

Specifying telemetry response header yields "Refused to get unsafe header"

luax opened this issue 4 years ago · comments

Hello!

I configured autoInstrument to include the response header Request-Id only:

    autoInstrument: {
      network: true,
      log: true,
      dom: true,
      navigation: true,
      connectivity: true,
      networkResponseHeaders: ['Request-Id'],
      networkResponseBody: false,
      networkRequestBody: false,
    }

But got this error message in Chrome (Refused to get unsafe header "Request-Id"):

Setting networkResponseHeaders to true does not include Request-Id either. Potentially related blog post about this error.

Is this indented?

Thank you,
Ludvig

Walt Jones · Answer 1 · Thu May 07 2020 23:26:25 GMT+0800 (China Standard Time)

Under CORS security, the HTTP response must include the Access-Control-Expose-Headers header in its response, and whitelist the specific headers the client is allowed to access. This is implemented and enforced by the browser.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers

Ludvig Axelsson · Answer 2 · Fri May 08 2020 14:54:50 GMT+0800 (China Standard Time)

Thanks @waltjones!