Network inteceptor throws CORS error when uploading file.

[ronaldcubezoo]

Describe the bug
The GleapNetworkInterceptor wraps the browser's native XMLHttpRequest and fetch on initialization. When a cross-origin PUT request is made (in our case, Livewire temporary file uploads to DigitalOcean Spaces via pre-signed S3-compatible URLs), the interceptor modifies the outgoing request in a way that causes the CORS preflight OPTIONS check to fail. The upload is blocked with:
Access to XMLHttpRequest at 'https://fra1.digitaloceanspaces.com/...' has been blocked
by CORS policy: Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Steps to reproduce

Initialize Gleap on a page that performs cross-origin file uploads
Trigger a file upload to a pre-signed S3-compatible URL (e.g. DigitalOcean Spaces)
Observe the OPTIONS preflight fail in the browser console, originating from GleapNetworkIntercepter.js

Expected behaviour
Cross-origin requests should not be intercepted or modified by Gleap. The native XMLHttpRequest behaviour should be preserved for requests outside the Gleap domain.
Actual behaviour
GleapNetworkIntercepter.js wraps XMLHttpRequest, causing the preflight to fail and the upload to be blocked entirely.
Workaround
Save a reference to the native XMLHttpRequest and fetch before Gleap initializes, and bypass the interceptor for affected URLs using setNetworkLogsBlacklist(["digitaloceanspaces.com"]).
Environment

Gleap JS SDK (latest)
Laravel + Livewire
DigitalOcean Spaces (S3-compatible, pre-signed URLs)
Chrome 148

[boehlerlukas]

Hey @ronaldcubezoo !
Thanks for sharing. The team will happily take a look.

[boehlerlukas]

Hey @ronaldcubezoo

Thanks again for the detailed report. Based on the SDK source, the Gleap network interceptor is fully passive — it wraps fetch/XHR purely to log requests and forwards every call to the browser unchanged (it doesn't add headers, or alter the method, URL, body, or credentials). It also can't affect the part that's failing: the CORS preflight (OPTIONS) is issued by the browser's network layer, below the JavaScript APIs we wrap, so JavaScript — ours or anyone's — can neither see nor modify it.

Could you help us confirm by fully disabling the Gleap SDK (remove the init/snippet entirely, not just blacklisting the URL) and retrying the same upload? We expect it to fail in exactly the same way, which would point to the actual cause: the No 'Access-Control-Allow-Origin' header is present error means your DigitalOcean Space's CORS policy isn't allowing the request. Adding a CORS rule on the Space that permits your app's origin + the PUT method should resolve it.

One note on the workaround: setNetworkLogsBlacklist only filters what Gleap logs before sending logs to us — it doesn't change how your requests are sent, so it wouldn't have affected the upload either way. Gleap likely just showed up in the stack trace because it wraps fetch/XHR, which can look like causation even when the call is a straight pass-through.

If disabling Gleap somehow does change the behavior, please send us a HAR capture of the failing request both with and without Gleap — we'll dig in immediately.