http plugin set Access-Control-Allow-Credentials header

[bjornicus]

Is your feature request related to a problem? Please describe.

I'm trying to use the http input plugin to collect logs from a client web app. I want to do my best to send any remaining logs from the client when the window is closed, so am attempting to use the sendBeacon api to do so:

  let headers = {
    type: 'application/json'
  };
  let blob = new Blob([JSON.stringify(logs)], headers);
  window.navigator.sendBeacon(logUrl, blob)

unfortunately, it sets credentials: "include" (which is not customizable) on the request, and I get an error on the console:
Access to resource at 'https://app.westus2.stage.stage.hoy.lu/logs/login.app' from origin 'http://localhost:3002' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.

Describe the solution you'd like

I believe all that I need is a way to have fluentd set the Access-Control-Allow-Credentials header to 'true' on the response and everything will work as expected.

[cosmo0920]

How about setting up additional headers via headers parameter on built-in out_http plugin?

ref: https://docs.fluentd.org/output/http#headers

[cosmo0920]

And this issue ticket is NOT USER FORUM but for management bugs of Fluentd.
Please send your question into discuss.fluentd.org for the next time? Thanks.

[bjornicus]

Sorry, I was not aware there was an input and output plugin called http; this feature request is for the input plugin which doe not have any headers parameter documented.

I will edit the original feature request description to be more clear about input vs output.

[cosmo0920]

OK, thanks for the detailed description. I reopened this issue.

[ashie]

refs:

• https://w3c.github.io/beacon/
• https://fetch.spec.whatwg.org/#http-access-control-allow-credentials
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials

• fluentd/lib/fluent/plugin/in_http.rb

  Lines 492 to 494 in 5bc4c6b

  	elsif include_cors_allow_origin
  	header["Access-Control-Allow-Origin"] = @origin
  	send_response_and_close(RES_200_STATUS, header, "")

• fluentd/lib/fluent/plugin/in_http.rb

  Lines 577 to 579 in 5bc4c6b

  	elsif include_cors_allow_origin
  	header['Access-Control-Allow-Origin'] = @origin
  	end

[kenhys]

One PoC implementation: (NOTE: it breaks existing test cases)

diff --git a/lib/fluent/plugin/in_http.rb b/lib/fluent/plugin/in_http.rb
index 2af6835f..e7c81215 100644
--- a/lib/fluent/plugin/in_http.rb
+++ b/lib/fluent/plugin/in_http.rb
@@ -82,6 +82,8 @@ module Fluent::Plugin
     config_param :dump_error_log, :bool, default: true
     desc 'Add QUERY_ prefix query params to record'
     config_param :add_query_params, :bool, default: false
+    desc 'Additional headers to the HTTP response'
+    config_param :headers, :hash, default: nil
 
     config_section :parse do
       config_set_default :@type, 'in_http'
@@ -279,7 +281,7 @@ module Fluent::Plugin
     private
 
     def on_server_connect(conn)
-      handler = Handler.new(conn, @km, method(:on_request), @body_size_limit, @format_name, log, @cors_allow_origins, @add_query_params)
+      handler = Handler.new(conn, @km, method(:on_request), @body_size_limit, @format_name, log, @cors_allow_origins, @add_query_params, @headers)
 
       conn.on(:data) do |data|
         handler.on_read(data)
@@ -356,7 +358,7 @@ module Fluent::Plugin
     class Handler
       attr_reader :content_type
 
-      def initialize(io, km, callback, body_size_limit, format_name, log, cors_allow_origins, add_query_params)
+      def initialize(io, km, callback, body_size_limit, format_name, log, cors_allow_origins, add_query_params, headers)
         @io = io
         @km = km
         @callback = callback
@@ -367,6 +369,7 @@ module Fluent::Plugin
         @cors_allow_origins = cors_allow_origins
         @idle = 0
         @add_query_params = add_query_params
+        @headers = headers
         @km.add(self)
 
         @remote_port, @remote_addr = io.remote_port, io.remote_addr
@@ -605,6 +608,7 @@ module Fluent::Plugin
       end
 
       def send_response(code, header, body)
+        header = @headers.merge(header)
         header['Content-Length'] ||= body.bytesize
         header['Content-Type'] ||= 'text/plain'.freeze
 
diff --git a/test/plugin/test_in_http.rb b/test/plugin/test_in_http.rb
index 3711218e..b82523d2 100644
--- a/test/plugin/test_in_http.rb
+++ b/test/plugin/test_in_http.rb
@@ -944,6 +944,23 @@ class HttpInputTest < Test::Unit::TestCase
     assert_equal events, d.events
   end
 
+  def test_headers
+    header = "Access-Control-Allow-Credentials"
+    d = create_driver(config + "headers {\"#{header}\": true}")
+    headers = {"#{header}" => true}
+    assert_equal headers, d.instance.headers
+
+    time = event_time("2011-01-02 13:14:15 UTC")
+    record = ["tag1", time, {"a"=>1}]
+    d.run do
+      res = post("/", {"json"=>record.to_json, "time"=>time.to_s})
+      res.each_name do |name|
+        next if name != header.downcase
+        assert_equal res.fetch(name), d.instance.headers[header].to_s
+      end
+    end
+  end
+
   $test_in_http_connection_object_ids = []
   $test_in_http_content_types = []
   $test_in_http_content_types_flag = false

[ashie]

Always adding Access-Control-Allow-Credentials is inappropriate.
Please check the specification I listed above.