From cc7cb3716ed4106326bb064882ee235694cbf9b2 Mon Sep 17 00:00:00 2001
From: Cedric Ziel <cedric.ziel@grafana.com>
Date: Wed, 22 Nov 2023 12:23:26 +0100
Subject: [PATCH 1/2] Allow x-faro-session-id header for faro receiver (#5835)

---
 component/faro/receiver/handler.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/component/faro/receiver/handler.go b/component/faro/receiver/handler.go
index fb8511e0bbde..636f00859e2b 100644
--- a/component/faro/receiver/handler.go
+++ b/component/faro/receiver/handler.go
@@ -69,7 +69,7 @@ func (h *handler) Update(args ServerArguments) {
 	if len(args.CORSAllowedOrigins) > 0 {
 		h.cors = cors.New(cors.Options{
 			AllowedOrigins: args.CORSAllowedOrigins,
-			AllowedHeaders: []string{apiKeyHeader, "content-type"},
+			AllowedHeaders: []string{apiKeyHeader, "content-type", "x-faro-session-id"},
 		})
 	} else {
 		h.cors = nil // Disable cors.

From 7da5726b2794dcc10d5330ce976dd53a21313a12 Mon Sep 17 00:00:00 2001
From: Robert Fratto <robertfratto@gmail.com>
Date: Wed, 22 Nov 2023 09:04:47 -0500
Subject: [PATCH 2/2] misc: follow up on #5835 (#5837)

* Add missing CHANGELOG entry
* Mirror fix to static mode
---
 CHANGELOG.md                                      | 6 ++++++
 pkg/integrations/v2/app_agent_receiver/handler.go | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 78652c614c94..8203fedb4b5f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,12 @@ internal API changes are not present.
 Main (unreleased)
 -----------------
 
+### Bugfixes
+
+- Permit `X-Faro-Session-ID` header in CORS requests for the `faro.receiver`
+  component (flow mode) and the `app_agent_receiver` integration (static mode).
+  (@cedricziel)
+
 v0.38.0 (2023-11-21)
 --------------------
 
diff --git a/pkg/integrations/v2/app_agent_receiver/handler.go b/pkg/integrations/v2/app_agent_receiver/handler.go
index 6831885cb51b..c430e9099312 100644
--- a/pkg/integrations/v2/app_agent_receiver/handler.go
+++ b/pkg/integrations/v2/app_agent_receiver/handler.go
@@ -117,7 +117,7 @@ func (ar *AppAgentReceiverHandler) HTTPHandler(logger log.Logger) http.Handler {
 	if len(ar.config.Server.CORSAllowedOrigins) > 0 {
 		c := cors.New(cors.Options{
 			AllowedOrigins: ar.config.Server.CORSAllowedOrigins,
-			AllowedHeaders: []string{apiKeyHeader, "content-type"},
+			AllowedHeaders: []string{apiKeyHeader, "content-type", "x-faro-session-id"},
 		})
 		handler = c.Handler(handler)
 	}