Request header field sp-anonymous is not allowed by Access-Control-Allow-Headers in preflight response

We recently updated our Javascript tracker to v3.4.0, and are working on implementing anonymous tracking. We noticed when the anonymousTracking: { withServerAnonymisation: true } is set in the tracker config, the requests to the collector return a 0 status with the message: Access to XMLHttpRequest at 'https://<our-collector-url>.com/com.snowplowanalytics.snowplow/tp2' from origin 'https://www.<our-website>.com' has been blocked by CORS policy: Request header field sp-anonymous is not allowed by Access-Control-Allow-Headers in preflight response.

Also the collector URL and domain of the website is different in the above error.

Does this mean we need to update the collector config to allow the sp-anonymous header for these requests, or is there something else causing this? I’m asking here before diving too far into it, as I don’t have direct access to the collector, and would like to provide as much information when making the request.

I appreciate any help!
Jason

Hi @Jason_K

You need be running at least Snowplow Stream Collector v2.1.0+ for Anonymous Tracking. I’d probably advise jumping up to 2.5 or 2.6 if you’re upgrading as there are also numerous other fixes in these releases.

Additionally, if you have a proxy in front of the collector (or something that might rewrite the OPTIONS headers, like your load balancer), then you’ll need to ensure the following header is present on the OPTIONS tp2 request: access-control-allow-headers: Content-Type, SP-Anonymous.

Hope that helps.

Thank you @PaulBoocock, that helps a lot. I will send this information over to our team and will follow up with any questions if they come up!