confighttp: add ExposedHeaders to CORSConfig

[Rajneesh180]

CORSConfig maps AllowedOrigins, AllowedHeaders, and MaxAge into cors.Options, but doesn't map ExposedHeaders even though rs/cors supports it. This means there's no way to set Access-Control-Expose-Headers through receiver config — anyone who needs it has to write a custom middleware.

This came up in jaegertracing/jaeger#8128 where the Jaeger UI needs specific headers exposed over CORS but has to work around this gap with a hand-rolled middleware.

Changes

• Add ExposedHeaders []string to CORSConfig
• Wire it into cors.Options in ToServer()
• Add test
• Update README

[Copilot]

Pull request overview

This PR extends config/confighttp server CORS configuration to support setting Access-Control-Expose-Headers via receiver configuration, aligning CORSConfig with rs/cors capabilities.

Changes:

• Add ExposedHeaders []string to CORSConfig.
• Map CORSConfig.ExposedHeaders into cors.Options in ServerConfig.ToServer().
• Add a server-side test and update README documentation; add a changelog entry.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
config/confighttp/server.go	Adds ExposedHeaders to CORSConfig and wires it into cors.Options.
config/confighttp/server_test.go	Adds a test asserting Access-Control-Expose-Headers is emitted on actual requests.
config/confighttp/README.md	Documents the new exposed_headers config key and provides an example.
.chloggen/add-cors-exposed-headers.yaml	Adds release-note entry for the new configuration option.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

CORSConfig gained ExposedHeaders, but the package’s config.schema.yaml still defines cors_config without an exposed_headers property. This will make the new setting invisible/invalid for schema-driven tooling. Update config/confighttp/config.schema.yaml to include exposed_headers (type array of strings) with a matching description.

[Copilot]

CORS config is ignored when AllowedOrigins is empty, but the warning currently only triggers when AllowedHeaders is set. With the new ExposedHeaders field (and existing MaxAge), misconfigurations can now be silently ignored. Consider broadening the warning condition/message to include other non-empty CORS fields (e.g., ExposedHeaders, MaxAge).

[Copilot]

This test validates wiring into cors.Options, but it doesn’t verify that exposed_headers can be set via YAML/unmarshal (the core motivation in the PR description). Consider extending the existing YAML unmarshal “comprehensive config” testdata + assertions to include exposed_headers, so the mapstructure tag is exercised.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.25%. Comparing base (307e3ab) to head (2a4db6b).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #15119      +/-   ##
==========================================
+ Coverage   91.24%   91.25%   +0.01%     
==========================================
  Files         699      699              
  Lines       44913    44914       +1     
==========================================
+ Hits        40979    40986       +7     
+ Misses       2786     2782       -4     
+ Partials     1148     1146       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[codspeed-hq]

Merging this PR will degrade performance by 30.87%

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

❌ 2 regressed benchmarks
✅ 5 untouched benchmarks
⏩ 76 skipped benchmarks¹

⚠️ Please fix the performance issues or acknowledge them on CodSpeed.

Performance Changes

	Benchmark	BASE	HEAD	Efficiency
❌	BenchmarkHTTPProtoLogsSequential	3.7 ms	5 ms	-25.49%
❌	BenchmarkGRPCLogsSequential	4.3 ms	6.2 ms	-30.87%

---

_{Comparing Rajneesh180:feat/cors-exposed-headers (2a4db6b) with main (307e3ab)}

Footnotes

1. 76 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[Rajneesh180]

@mx-psi The CodSpeed regression looks like a false positive — their own report flags "Unknown Walltime execution environment detected" and "Different runtime environments detected," which explains the variance. The change itself only adds a []string field to the struct.

The YAML unmarshal test for ExposedHeaders and the config.schema.yaml update are both already included in this commit (the Copilot review items). Let me know if anything else is needed!

[dmathieu]

Yes, codespeed is rather unreliable. You can ignore it.