Responses with missing CORS headers were returned to browser clients starting around 9am PT this morning
Incident Report for LaunchDarkly
Postmortem

This incident was limited to only a handful of our customers. It was caused by some new code that had been rolled out to only a fraction of our customers and the only affected customers were those whose clients were using slightly malformed “user” contexts. Those contexts were rejected as invalid by the new code and a http response code of 400 was returned. The problem manifested itself as a CORS problem because the http error response did not have the expected CORS headers required for the browser to receive the response. The “user” context is described in detail at https://docs.launchdarkly.com/sdk/client-side/javascript#users. In at least one case, a user context with a “custom” attribute of type “null” was received instead of the expected “object” type, leading to a 400 response without CORS headers. Prior to rolling out this new code path again, we will ensure we return proper CORS headers for our error responses and also accept as valid the malformed “user” contexts that we have accepted previously.

Posted May 11, 2021 - 21:55 PDT

Resolved
This incident has been resolved.
Posted May 11, 2021 - 11:20 PDT
Monitoring
We have rolled back changes that we believe may have led to this issue and are investigating further to understand the cause.
Posted May 11, 2021 - 11:09 PDT
This incident affected: Feature flag CDN.