allow kbn-xsrf headers to be set on CORS request

elastic · Dec 8, 2020 · 3e19081 · 3e19081
1 parent d0956f8
commit 3e19081
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/src/core/server/http/http_tools.test.ts b/src/core/server/http/http_tools.test.ts
@@ -188,6 +188,25 @@ describe('getServerOptions', () => {
       }
     `);
   });
+
+  it('properly configures CORS when cors enabled', () => {
+    const httpConfig = new HttpConfig(
+      config.schema.validate({
+        cors: {
+          enabled: true,
+          credentials: false,
+          origin: '*',
+        },
+      }),
+      {} as any
+    );
+
+    expect(getServerOptions(httpConfig).routes?.cors).toEqual({
+      credentials: false,
+      origin: '*',
+      headers: ['Accept', 'Authorization', 'Content-Type', 'If-None-Match', 'kbn-xsrf'],
+    });
+  });
 });
 
 describe('getRequestId', () => {

diff --git a/src/core/server/http/http_tools.ts b/src/core/server/http/http_tools.ts
@@ -32,6 +32,7 @@ import uuid from 'uuid';
 import { HttpConfig } from './http_config';
 import { validateObject } from './prototype_pollution';
 
+const corsAllowedHeaders = ['Accept', 'Authorization', 'Content-Type', 'If-None-Match', 'kbn-xsrf'];
 /**
  * Converts Kibana `HttpConfig` into `ServerOptions` that are accepted by the Hapi server.
  */
@@ -40,6 +41,7 @@ export function getServerOptions(config: HttpConfig, { configureTLS = true } = {
     ? {
         credentials: config.cors.credentials,
         origin: config.cors.origin,
+        headers: corsAllowedHeaders,
       }
     : false;
   // Note that all connection options configured here should be exactly the same

diff --git a/x-pack/test/functional_cors/plugins/kibana_cors_test/server/plugin.ts b/x-pack/test/functional_cors/plugins/kibana_cors_test/server/plugin.ts
@@ -25,8 +25,10 @@ function renderBody(kibanaUrl: string) {
   </head>
   <script>
 fetch('${url}', {
+  method: 'POST',
   headers: {
     Authorization: 'Basic ${apiToken}',
+    'kbn-xsrf': 'kibana',
   },
   credentials: 'include',
 })
@@ -47,7 +49,7 @@ export class CorsTestPlugin implements Plugin {
 
   async setup(core: CoreSetup) {
     const router = core.http.createRouter();
-    router.get({ path: '/cors-test', validate: false }, (_context, req, res) =>
+    router.post({ path: '/cors-test', validate: false }, (context, req, res) =>
       res.ok({ body: 'content from kibana' })
     );
   }