Provide Access-Control-Allow-Origin header on the response to RUM ACM endpoint

[hmdhk]

Requests made to the /config/v1/agents by the RUM agent will fail if the Access-Control-Allow-Origin header is not present on the response.

The value of this header should be generated using the same algorithm used for the /intake/v2/rum/events endpoint.

[hmdhk]

@elastic/apm-server , Is it a possibility to provide the CORS headers on all endpoints by default?

[jalvz]

On all endpoints? What is the use case eg for /intake/v2/events ?

[hmdhk]

I'm basically looking for a solution to make sure we don't forget about CORS headers for the endpoints that are going to be used by the RUM agent.

We can consider other solutions, if you think having the CORS headers for all endpoints has
drawbacks. Either way, I don't have a strong opinion on the solution itself but I think we should find a way to make sure these headers are added for all RUM endpoints in the future.

[jalvz]

got it, thanks!

[simitt]

Just as a note - the config/v1/agents was not meant to be used by the RUM agent (at the moment), see #2220 (comment). Based on previous discussions where it became obvious that there will be some additional things to consider for RUM (rate limiting, security token handling, ..) we agreed on adding a dedicated solution for the RUM agent once it will be implemented in the agent.

Referencing #2694 here as the dedicated task for adding RUM support server side.