Allow more headers in CORS policies (#32637)

GitOrigin-RevId: a008a79455d0c85bc909892952ff0417c7527d09

crates/common/src/http/mod.rs

@@ -57,6 +57,7 @@ use http::{
         HeaderName,
         HeaderValue,
         ACCEPT,
+        ACCEPT_LANGUAGE,
         AUTHORIZATION,
         CONTENT_TYPE,
         REFERER,
@@ -1139,12 +1140,15 @@ impl<T: fmt::Display> fmt::Display for LogOptFmt<T> {
 pub fn cli_cors() -> CorsLayer {
     CorsLayer::new()
         .allow_headers(vec![
-            CONTENT_TYPE,
-            AUTHORIZATION,
+            "baggage".parse().unwrap(),
+            "sentry-trace".parse().unwrap(),
             ACCEPT,
+            ACCEPT_LANGUAGE,
+            AUTHORIZATION,
+            CONTENT_TYPE,
+            CONVEX_CLIENT_HEADER,
             REFERER,
             USER_AGENT,
-            CONVEX_CLIENT_HEADER,
         ])
         .allow_credentials(true)
         .allow_methods(vec![

crates/local_backend/src/router.rs

@@ -30,8 +30,12 @@ use common::{
 };
 use http::{
     header::{
+        ACCEPT,
+        ACCEPT_LANGUAGE,
         AUTHORIZATION,
         CONTENT_TYPE,
+        REFERER,
+        USER_AGENT,
     },
     request,
     HeaderValue,
@@ -341,7 +345,17 @@ where
 
 pub fn cors() -> CorsLayer {
     CorsLayer::new()
-        .allow_headers(vec![CONTENT_TYPE, "sentry-trace".parse().unwrap(), "baggage".parse().unwrap(), CONVEX_CLIENT_HEADER, AUTHORIZATION])
+        .allow_headers(vec![
+           "baggage".parse().unwrap(),
+           "sentry-trace".parse().unwrap(),
+           ACCEPT,
+           ACCEPT_LANGUAGE,
+           AUTHORIZATION,
+           CONTENT_TYPE,
+           CONVEX_CLIENT_HEADER,
+           REFERER,
+           USER_AGENT,
+        ])
         .allow_credentials(true)
         .allow_methods(vec![
             Method::GET,