Affected: client-side SDKs
Symptoms
The following error occurs when a client-side SDK makes an HTTPS request to LaunchDarkly endpoints:
Access to XMLHttpRequest at 'https//{LaunchDarkly endpoint here}} from origin 'http://xyz' has been blocked by CORS policy....
Example:
Cause
These errors typically occur when:
-
Custom headers are being injected into the client-side SDK HTTPS requests, typically from a third-party library
-
The context object is very large due to the number of attributes used
LaunchDarkly server CORS rules allow connections from all sources. You can confirm this by checking for the following header in the response: Access-Control-Allow-Origin: *
.
Solution
-
Check for any third-party libraries in your app that could inject custom headers and disable them. In the error shown in the above example,
traceparent
is the custom header being injected into the request. -
Check the request URL that is erroring and that its length is no more than about 2000~ characters long. The
evalx
URL, for example, can get long due to the request being base64 encoded. If the request is too long, ensure that the context object does not have a large amount of attributes. If it does, it is recommended to use the SDKsuseReport
configuration option, if supported. This option puts the user object in the request's body instead of the URL. You can read more about theuseReport
option.