fix(api): Set API identifying headers on all HTTP requests (CODY-4209) (

#6102) Closes [CODY-4209](https://linear.app/sourcegraph/issue/CODY-4209/add-another-header-for-telemetry-purposes-that-bypasses-cors) Sets the `X-Requested-With` flag on all HTTP requests. I tested this locally with VSCode, Eclipse, JetBrains, Cody Web and the Cody CLI and for each of them (in concert with [these](sourcegraph/dev-private#120) two other[ PRs](sourcegraph/sourcegraph#1587)) saw the headers appear in the logs when I made a chat interaction. * VSCode identifies as `vscode` * JetBrains identifies as `jetbrains` * Eclipse identifies as `eclipse` * Cody Web identifies as `web` * Cody CLI identifies as `cody-cli` We might consider either prepending each name with `sourcegraph-` if we want to be very explicit that it's our apps, but I think it's pretty clear with the current values and it's consistent with the clientName and CodyIDE values used through out the codebase today. The one tricky bit here is Cody Web because at least when developing locally, the requests to the SG instance are CORS requests and by default the local server is not a trusted origin. In the two linked PRs I added the headers to the trusted list and added the default vite server URL to the local trusted origins. I *think* that we shouldn't have to do anything for production because they shouldn't be CORS requests then right? Are there any other places might I need to check or update to make sure this works? Edit: I just added the `if` statement to exclude these headers if we're in development mode. If we like that I can probably close the dev-private PR and we won't have to make any changes to S2. ## Test plan Tested manually to see that the HTTP header was present ## Changelog Sets the `X-Requested-With` header on all HTTP requests.
sourcegraph · Nov 21, 2024 · d93cc15 · d93cc15
1 parent 25d3bc0
commit d93cc15
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/lib/shared/src/sourcegraph-api/client-name-version.ts b/lib/shared/src/sourcegraph-api/client-name-version.ts
@@ -37,13 +37,17 @@ export function getClientIdentificationHeaders() {
             : typeof navigator !== 'undefined' && navigator.userAgent
               ? `Browser ${navigator.userAgent}`
               : 'Unknown environment'
-    return {
+    const headers: { [header: string]: string } = {
         'User-Agent': `${clientName}/${clientVersion} (${runtimeInfo})`,
-        // NOTE: due to CORS: we need to be careful with adding other HTTP headers
-        // to not break Cody Web. The backend should accept X-Requested-With, but
-        // I was unable to test it locally so this is commented out for now.
-        // 'X-Requested-With': `${clientName}/${clientVersion}`,
     }
+
+    // Only set these headers in non-demo mode, because the demo mode is
+    // running in a local server and thus the backend will regard it as an
+    // untrusted cross-origin request.
+    if (!process.env.CODY_WEB_DEMO) {
+        headers['X-Requested-With'] = `${clientName} ${clientVersion}`
+    }
+    return headers
 }
 
 export function addCodyClientIdentificationHeaders(headers: Headers): void {