From 4aa213ada8f9a645310f6c03f66756e61dd87796 Mon Sep 17 00:00:00 2001
From: Alexey Efimov <xeno@ydb.tech>
Date: Thu, 29 Aug 2024 15:33:01 +0200
Subject: [PATCH] fix CORS headers for traces (#8458)

---
 ydb/core/mon/async_http_mon.cpp | 5 +++--
 ydb/core/viewer/viewer.cpp      | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/ydb/core/mon/async_http_mon.cpp b/ydb/core/mon/async_http_mon.cpp
index d1dcb1dd5613..3e7fd7de614b 100644
--- a/ydb/core/mon/async_http_mon.cpp
+++ b/ydb/core/mon/async_http_mon.cpp
@@ -247,8 +247,9 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
         response << "HTTP/1.1 204 No Content\r\n"
                     "Access-Control-Allow-Origin: " << origin << "\r\n"
                     "Access-Control-Allow-Credentials: true\r\n"
-                    "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept,X-Trace-Verbosity,X-Want-Trace\r\n"
-                    "Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, DELETE\r\n"
+                    "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept,X-Trace-Verbosity,X-Want-Trace,traceparent\r\n"
+                    "Access-Control-Expose-Headers: traceresponse,X-Worker-Name\r\n"
+                    "Access-Control-Allow-Methods: OPTIONS,GET,POST,PUT,DELETE\r\n"
                     "Content-Type: " << type << "\r\n"
                     "Connection: keep-alive\r\n\r\n";
         ReplyWith(request->CreateResponseString(response));
diff --git a/ydb/core/viewer/viewer.cpp b/ydb/core/viewer/viewer.cpp
index 0ff26ecee440..664514d3487b 100644
--- a/ydb/core/viewer/viewer.cpp
+++ b/ydb/core/viewer/viewer.cpp
@@ -595,8 +595,9 @@ void TViewer::FillCORS(TStringBuilder& stream, const TRequestState& request) {
     if (origin) {
         stream << "Access-Control-Allow-Origin: " << origin << "\r\n"
                << "Access-Control-Allow-Credentials: true\r\n"
-               << "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept,X-Trace-Verbosity,X-Want-Trace\r\n"
-               << "Access-Control-Allow-Methods: OPTIONS, GET, POST, DELETE\r\n"
+               << "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept,X-Trace-Verbosity,X-Want-Trace,traceparent\r\n"
+               << "Access-Control-Expose-Headers: traceresponse,X-Worker-Name\r\n"
+               << "Access-Control-Allow-Methods: OPTIONS,GET,POST,PUT,DELETE\r\n"
                << "Allow: OPTIONS, GET, POST, DELETE\r\n";
     }
 }