Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: open-feature/flagd
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: flagd/v0.14.2
Choose a base ref
...
head repository: open-feature/flagd
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: flagd/v0.14.3
Choose a head ref
  • 2 commits
  • 4 files changed
  • 2 contributors

Commits on Mar 10, 2026

  1. fix: OFREP service CORS missing AllowedHeaders - blocks Flagd-Selecto… 

    …r header (#1900)

## Summary

- Replaces the inline `cors.Options` in the OFREP service with the
shared CORS middleware from `pkg/service/middleware/cors/`
- This adds `AllowedHeaders: []string{"*"}` to OFREP preflight
responses, unblocking the `Flagd-Selector` header from browser clients

## Problem

The OFREP service created its own `cors.Options` at
`ofrep_service.go:40` without setting `AllowedHeaders`. The `rs/cors`
library defaults to only allowing `accept`, `content-type`, and
`x-requested-with` — so browser preflight `OPTIONS` requests with
`Access-Control-Request-Headers: flagd-selector` were being rejected.

The handler explicitly reads this header at `handler.go:99` and
`handler.go:124`, so it's expected to be sent from browser clients.
Meanwhile, the Connect service already uses the shared CORS middleware
which sets `AllowedHeaders: []string{"*"}`.

Reported in [this Slack
thread](https://cloud-native.slack.com/archives/C066A48LK35/p1773065350366859).

## Fix

Swapped the inline `cors.New(cors.Options{...})` for
`corsmw.New(origins)` from the shared middleware package. This brings
OFREP in line with the Connect service and prevents future CORS config
divergence between the two.

### Related Issues

Fixes #1899

---------

Signed-off-by: Norris <[email protected]>
    @jonathannorris
    jonathannorris authored Mar 10, 2026
    Configuration menu
    Copy the full SHA
    08f0429 View commit details
    Browse the repository at this point in the history

  2. chore: release main (#1901) 

    🤖 I have created a release *beep* *boop*
---


<details><summary>flagd: 0.14.3</summary>

##
[0.14.3](flagd/v0.14.2...flagd/v0.14.3)
(2026-03-10)


### 🐛 Bug Fixes

* OFREP service CORS missing AllowedHeaders - blocks Flagd-Selector
header ([#1900](#1900))
([08f0429](08f0429))
</details>

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Signed-off-by: OpenFeature Bot <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
    @github-actions
    github-actions[bot] authored Mar 10, 2026
    Configuration menu
    Copy the full SHA
    6bd709c View commit details
    Browse the repository at this point in the history
Loading