CORS related error when using flipt-web with OpenFeature

[tituscarl]

I have encountered error when using flipt-web with OpenFeature, does anyone know what could be possible reasons?
Flipt version: v1.48.0
Deployed on Kubernetes.
Error:
Access to fetch at 'http://localhost:8080/internal/v1/evaluation/snapshot/namespace/default' from origin 'http://localhost:5173' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

[dosubot[bot]]

Hi @tituscarl! I'm Dosu and I’m helping the flipt team.

CORS is disabled by default in Flipt, which is why you're seeing this error. You need to explicitly enable it.

Quick fix — add to your Flipt configuration:

cors:
  enabled: true
  allowed_origins:
    - "http://localhost:5173"

Or via environment variables in your Kubernetes deployment:

env:
  - name: FLIPT_CORS_ENABLED
    value: "true"
  - name: FLIPT_CORS_ALLOWED_ORIGINS
    value: "http://localhost:5173"

After updating, restart your Flipt deployment for the changes to take effect.

The CORS middleware applies to all HTTP endpoints including the /internal/v1/evaluation endpoints used by flipt-web with OpenFeature (source). When enabled, it automatically allows credentials and common methods (GET, POST, PUT, DELETE, OPTIONS).

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[tituscarl]

I have also done setting this in my deployment, is there anything I missed?

cors:
  enabled: true
  allowed_origins:
    - "http://localhost:5173"

[tituscarl]

I have also done setting this in my deployment, is there anything I missed?

cors:
  enabled: true
  allowed_origins:
    - "http://localhost:5173"

[erka]

Hey @tituscarl

There were few bugs related to this and you are running not the latest versions.
You may need to have allowed_headers as well in your configuration with extra records there with header names.

#4620

[tituscarl]

If so may I know on what version does this bug is fixed? Thank you!

[erka]

You may need just add allowed_headers to your configuration to resolve the issue. I wish we have a better error log there.

[tituscarl]

  allowed_headers:
        - "Authorization"
        - "Content-Type"
        - "Access-Control-Allow-Origin"

Added this in my config and still have Issues.

[erka]

cors:
  enabled: true
  allowed_origins:
    - http://localhost:5173
  allowed_headers:
    - Accept
    - Authorization
    - Content-Type
    - X-CSRF-Token
    - X-Flipt-Namespace
    - X-Flipt-Accept-Server-Version
    - X-Flipt-Environment

Please give it a try @tituscarl

[tituscarl]

@erka Thank you so much, it worked!