feat: allow cors header to be excluded from request headers (#489)

kevinpagtakhan · web-flow · commit 0119ac7b92ba · 2022-01-20T11:22:46.000-08:00
diff --git a/src/xhr.js b/src/xhr.js
@@ -10,8 +10,13 @@ var Request = function (url, data, headers) {
   this.headers = headers;
 };
 
+const CORS_HEADER = 'Cross-Origin-Resource-Policy';
+
 function setHeaders(xhr, headers) {
   for (const header in headers) {
+    if (header === CORS_HEADER && !headers[header]) {
+      continue;
+    }
     xhr.setRequestHeader(header, headers[header]);
   }
 }
diff --git a/test/amplitude-client.js b/test/amplitude-client.js
@@ -1690,13 +1690,50 @@ describe('AmplitudeClient', function () {
       assert.equal(server.requests[0].requestHeaders['Content-Type'], 'application/json;charset=utf-8');
     });
 
+    it('should send request with no cors header when passed an empty string', function () {
+      amplitude.init(apiKey, null, {
+        headers: { 'Cross-Origin-Resource-Policy': '' },
+      });
+      amplitude.logEvent('Event Type 1');
+      assert.lengthOf(server.requests, 1);
+      assert.notExists(server.requests[0].requestHeaders['Cross-Origin-Resource-Policy']);
+    });
+
+    it('should send request with no cors header when passed undefined', function () {
+      amplitude.init(apiKey, null, {
+        headers: { 'Cross-Origin-Resource-Policy': undefined },
+      });
+      amplitude.logEvent('Event Type 1');
+      assert.lengthOf(server.requests, 1);
+      assert.notExists(server.requests[0].requestHeaders['Cross-Origin-Resource-Policy']);
+    });
+
+    it('should send request with no cors header when passed null', function () {
+      amplitude.init(apiKey, null, {
+        headers: { 'Cross-Origin-Resource-Policy': null },
+      });
+      amplitude.logEvent('Event Type 1');
+      assert.lengthOf(server.requests, 1);
+      assert.notExists(server.requests[0].requestHeaders['Cross-Origin-Resource-Policy']);
+    });
+
+    it('should send request with custom cors header', function () {
+      amplitude.init(apiKey, null, {
+        headers: { 'Cross-Origin-Resource-Policy': 'same-site' },
+      });
+      amplitude.logEvent('Event Type 1');
+      assert.lengthOf(server.requests, 1);
+      assert.equal(server.requests[0].requestHeaders['Cross-Origin-Resource-Policy'], 'same-site');
+    });
+
     it('should send https request', function () {
       amplitude.options.forceHttps = true;
       amplitude.logEvent('Event Type 1');
       assert.lengthOf(server.requests, 1);
       assert.equal(server.requests[0].url, 'https://api.amplitude.com');
       assert.equal(server.requests[0].method, 'POST');
       assert.equal(server.requests[0].async, true);
+      assert.equal(server.requests[0].requestHeaders['Cross-Origin-Resource-Policy'], 'cross-origin');
     });
 
     it('should send https request by configuration', function () {

Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,13 @@ var Request = function (url, data, headers) {`
`10`	`10`	`this.headers = headers;`
`11`	`11`	`};`
`12`	`12`
	`13`	`+const CORS_HEADER = 'Cross-Origin-Resource-Policy';`
	`14`	`+`
`13`	`15`	`function setHeaders(xhr, headers) {`
`14`	`16`	`for (const header in headers) {`
	`17`	`+ if (header === CORS_HEADER && !headers[header]) {`
	`18`	`+ continue;`
	`19`	`+ }`
`15`	`20`	`xhr.setRequestHeader(header, headers[header]);`
`16`	`21`	`}`
`17`	`22`	`}`