From 34cd88a7a98b24866883f1de0de8e2154be42b8e Mon Sep 17 00:00:00 2001
From: Kevin Pagtakhan <kevinp@amplitude.com>
Date: Thu, 20 Jan 2022 09:53:42 -0800
Subject: [PATCH] feat: allow cors header to be excluded from request headers

---
 src/xhr.js               |  5 +++++
 test/amplitude-client.js | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+)

diff --git a/src/xhr.js b/src/xhr.js
index 8a532314..1c1110cc 100644
--- a/src/xhr.js
+++ b/src/xhr.js
@@ -10,8 +10,13 @@ var Request = function (url, data, headers) {
   this.headers = headers;
 };
 
+const CORS_HEADER = 'Cross-Origin-Resource-Policy';
+
 function setHeaders(xhr, headers) {
   for (const header in headers) {
+    if (header === CORS_HEADER && !headers[header]) {
+      continue;
+    }
     xhr.setRequestHeader(header, headers[header]);
   }
 }
diff --git a/test/amplitude-client.js b/test/amplitude-client.js
index 368d5e14..bee4d807 100644
--- a/test/amplitude-client.js
+++ b/test/amplitude-client.js
@@ -1690,6 +1690,42 @@ describe('AmplitudeClient', function () {
       assert.equal(server.requests[0].requestHeaders['Content-Type'], 'application/json;charset=utf-8');
     });
 
+    it('should send request with no cors header when passed an empty string', function () {
+      amplitude.init(apiKey, null, {
+        headers: { 'Cross-Origin-Resource-Policy': '' },
+      });
+      amplitude.logEvent('Event Type 1');
+      assert.lengthOf(server.requests, 1);
+      assert.notExists(server.requests[0].requestHeaders['Cross-Origin-Resource-Policy']);
+    });
+
+    it('should send request with no cors header when passed undefined', function () {
+      amplitude.init(apiKey, null, {
+        headers: { 'Cross-Origin-Resource-Policy': undefined },
+      });
+      amplitude.logEvent('Event Type 1');
+      assert.lengthOf(server.requests, 1);
+      assert.notExists(server.requests[0].requestHeaders['Cross-Origin-Resource-Policy']);
+    });
+
+    it('should send request with no cors header when passed null', function () {
+      amplitude.init(apiKey, null, {
+        headers: { 'Cross-Origin-Resource-Policy': null },
+      });
+      amplitude.logEvent('Event Type 1');
+      assert.lengthOf(server.requests, 1);
+      assert.notExists(server.requests[0].requestHeaders['Cross-Origin-Resource-Policy']);
+    });
+
+    it('should send request with custom cors header', function () {
+      amplitude.init(apiKey, null, {
+        headers: { 'Cross-Origin-Resource-Policy': 'same-site' },
+      });
+      amplitude.logEvent('Event Type 1');
+      assert.lengthOf(server.requests, 1);
+      assert.equal(server.requests[0].requestHeaders['Cross-Origin-Resource-Policy'], 'same-site');
+    });
+
     it('should send https request', function () {
       amplitude.options.forceHttps = true;
       amplitude.logEvent('Event Type 1');
@@ -1697,6 +1733,7 @@ describe('AmplitudeClient', function () {
       assert.equal(server.requests[0].url, 'https://api.amplitude.com');
       assert.equal(server.requests[0].method, 'POST');
       assert.equal(server.requests[0].async, true);
+      assert.equal(server.requests[0].requestHeaders['Cross-Origin-Resource-Policy'], 'cross-origin');
     });
 
     it('should send https request by configuration', function () {