Stream Collector with Terraform how to configure crossDomain in collector.config.hocon file

I’m trying to configure the collector using the provided terraform scripts but I’m running into CORS errors. Is there a way to configure the crossDomain section of the collector.config.hocon file while using the terraform setup or is that only available if doing manual setup with jar file or via docker?

What CORS issues are you facing? You shouldn’t need to configure the crossDomain block for a regular deployment. The OPTIONS request from the collector responds with very permissive CORS headers by default so will work in a cross domain setting by default.

Most commonly, CORS issues are caused by the OPTIONS requests failing for one reason or another in development environments (for example, trying to hit a http endpoint because you haven’t set up SSL yet from a https website or something). Could you check if your OPTIONS requests in the network tab of your browsers developer tools are succeeding, if so, what do the CORS headers look like?.


Also could you send over the console output from your browser regarding the CORS errors, it might shed some light on whats going on.

Hi Paul,
Thanks your your response. The CORS error that I’m facing in the console is:

Access to XMLHttpRequest at ‘https://tracker.domain/com.acme/track/com.snowplowanalytics.snowplow/tp2’ from origin ‘’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

in preflight, i have the same headers as you showed

  1. access-control-allow-credentials:true
  2. access-control-allow-headers:Content-Type, SP-Anonymous
  3. access-control-allow-origin:
  4. access-control-max-age:5
  5. content-length: 0

Both domains have the SSL cert configured


That collector URL looks a bit strange. I’d expect to see something like: https://tracker.domain/com.snowplowanalytics.snowplow/tp2

This suggests your tracker configuration might be wrong. It should look something like:

window.snowplow('newTracker', 'sp1', 'https://tracker.domain', { 
  appId: 'my-app-id'

Thanks Paul,
That was indeed the issue, must have been a bad copy past job while trying to resolve a previous issue. Thanks for the assistance!

Best Regards,

However in in the future we did want to limit the domains that can send events to the tracker what would be the best way for achieving that? Would it then be the afore mentioned crossDomain settings?

There’s currently no option to restrict collection based on the CORS headers. In reality CORS headers don’t offer much security in terms of unexpected events, anyone could send events to a collector outside of a browser to circumvent CORS. There’s an open PR on the topic with lots of discussion (particularly at the end after the initial code review) - Add option to restrict Access-Control-Allow-Origin header to certain domains by pithlessly · Pull Request #151 · snowplow/stream-collector · GitHub

If you do want some additional security, setting up firewall rules would be the best option. Something like WAF should do the trick AWS WAF - Web Application Firewall - Amazon Web Services (AWS)

Thanks for the insight Paul