CORS errors due to header changes

[VincentVW]

A recent change that is in the latest release (v9.3.1) seems to cause CORS errors for me.

On preflight requests this package now sends
access-control-request-headers of flagsmith-sdk-user-agent,x-environment-key, while flagsmith-sdk-user-agent is not to be found as allowed cors header in the api as far as I see.

The returned allowed headers from the preflight request seem to confirm that: accept, accept-encoding, authorization, content-type, dnt, origin, user-agent, x-csrftoken, x-requested-with, sentry-trace, X-Environment-Key, X-E2E-Test-Auth-Token. But I might be on a slightly older version of the BE so I'm not 100% sure.

I'd be happy to help on any change, I don't know context/intent here but feel free to tell me and ask for a PR.

[khvn26]

Hi, thanks for reporting! We opened Flagsmith/flagsmith#6010 to fix this. In the meantime, you can use the FLAGSMITH_CORS_EXTRA_ALLOW_HEADERS environment variable to add the header manually.

[VincentVW]

Thanks for the quick reply, fix, and suggestion! Awesome to see.

Small suggestion; technically I guess this is a breaking change with that PR since flagsmith-js-client@9.3.1 will now have a dependency on a certain version of Flagsmith/flagsmith. Might be nice to bump major and mention in release notes that it only works from a specific version of Flagsmith/flagsmith to avoid surprises when someone does minor dep upgrades.

[khvn26]

Thanks @VincentVW — I believe we'll go this route. Will close the issue once we release the new minor version rolling back the header changes.

[khvn26]

Released as part of https://github.com/Flagsmith/flagsmith-js-client/releases/tag/9.3.2.