Skip to content

fix(api): open CORS on /attribution/identify (browser SDK was blocked for hosted tenants)#38

Merged
keithfawcett merged 1 commit into
mainfrom
fix/identify-open-cors
Jul 8, 2026
Merged

fix(api): open CORS on /attribution/identify (browser SDK was blocked for hosted tenants)#38
keithfawcett merged 1 commit into
mainfrom
fix/identify-open-cors

Conversation

@keithfawcett

Copy link
Copy Markdown
Contributor

Found while writing the brand integration docs: the browser SDK posts /attribution/identify from the brand's own website origin, which is never in our CORS allowlist — so the documented browser integration silently could not work on hosted tenants without ops adding every brand site to CORS_EXTRA_ORIGINS.

Fix: analytics-collector CORS for exactly this path (any origin, no credentials) — the endpoint is deliberately unauthenticated, IP-rate-limited, reads no cookies, and returns nothing sensitive. All other routes keep the strict allowlist + credentials; a test pins both sides (open on identify incl. /t/<slug>/ + /api/t/<slug>/ shapes, closed elsewhere).

🤖 Generated with Claude Code

The browser SDK's stitch call comes from the BRAND'S OWN website origin
(acme.com) — never in our allowlist — so identify() was CORS-blocked for
every hosted tenant unless ops hand-added their site to
CORS_EXTRA_ORIGINS. The endpoint is deliberately unauthenticated,
rate-limited, cookie-free, and returns nothing sensitive, so it gets
analytics-collector CORS: any origin, NO credentials. Every other route
keeps the strict allowlist + credentials (pinned by test).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@keithfawcett keithfawcett merged commit 06cfd67 into main Jul 8, 2026
9 checks passed
@keithfawcett keithfawcett deleted the fix/identify-open-cors branch July 8, 2026 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant