Blog

W3C traceparent and CORS: should browsers expose distributed trace IDs?

traceparent is primarily for server hops; exposing it to JavaScript can leak internal topology if misused.

Published: 2026-03-02Updated: 2026-03-051 min read

tracingw3ccorsobservability

Expose-Headers allowlist

Browsers only reveal listed headers to fetch unless CORS exposes them—never mirror full trace payloads to the client.

If you must return a request ID, use a short opaque token mapped server-side to traces.

GDPR and similar regimes may treat persistent IDs as personal data when tied to accounts—document retention.

Third-party RUM scripts reading headers need explicit consent in some jurisdictions.