From 3e1908172b936c5b99b0c2d4d6839c6b05b7d278 Mon Sep 17 00:00:00 2001
From: restrry <restrry@gmail.com>
Date: Tue, 8 Dec 2020 18:47:40 +0100
Subject: [PATCH] allow kbn-xsrf headers to be set on CORS request

---
 src/core/server/http/http_tools.test.ts       | 19 +++++++++++++++++++
 src/core/server/http/http_tools.ts            |  2 ++
 .../plugins/kibana_cors_test/server/plugin.ts |  4 +++-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/core/server/http/http_tools.test.ts b/src/core/server/http/http_tools.test.ts
index da6ad7f1156cb..5db16c32375df 100644
--- a/src/core/server/http/http_tools.test.ts
+++ b/src/core/server/http/http_tools.test.ts
@@ -188,6 +188,25 @@ describe('getServerOptions', () => {
       }
     `);
   });
+
+  it('properly configures CORS when cors enabled', () => {
+    const httpConfig = new HttpConfig(
+      config.schema.validate({
+        cors: {
+          enabled: true,
+          credentials: false,
+          origin: '*',
+        },
+      }),
+      {} as any
+    );
+
+    expect(getServerOptions(httpConfig).routes?.cors).toEqual({
+      credentials: false,
+      origin: '*',
+      headers: ['Accept', 'Authorization', 'Content-Type', 'If-None-Match', 'kbn-xsrf'],
+    });
+  });
 });
 
 describe('getRequestId', () => {
diff --git a/src/core/server/http/http_tools.ts b/src/core/server/http/http_tools.ts
index 404471d9505c9..61688a51345b5 100644
--- a/src/core/server/http/http_tools.ts
+++ b/src/core/server/http/http_tools.ts
@@ -32,6 +32,7 @@ import uuid from 'uuid';
 import { HttpConfig } from './http_config';
 import { validateObject } from './prototype_pollution';
 
+const corsAllowedHeaders = ['Accept', 'Authorization', 'Content-Type', 'If-None-Match', 'kbn-xsrf'];
 /**
  * Converts Kibana `HttpConfig` into `ServerOptions` that are accepted by the Hapi server.
  */
@@ -40,6 +41,7 @@ export function getServerOptions(config: HttpConfig, { configureTLS = true } = {
     ? {
         credentials: config.cors.credentials,
         origin: config.cors.origin,
+        headers: corsAllowedHeaders,
       }
     : false;
   // Note that all connection options configured here should be exactly the same
diff --git a/x-pack/test/functional_cors/plugins/kibana_cors_test/server/plugin.ts b/x-pack/test/functional_cors/plugins/kibana_cors_test/server/plugin.ts
index 062a7d42d8f56..4f545f8907cb7 100644
--- a/x-pack/test/functional_cors/plugins/kibana_cors_test/server/plugin.ts
+++ b/x-pack/test/functional_cors/plugins/kibana_cors_test/server/plugin.ts
@@ -25,8 +25,10 @@ function renderBody(kibanaUrl: string) {
   </head>
   <script>
 fetch('${url}', {
+  method: 'POST',
   headers: {
     Authorization: 'Basic ${apiToken}',
+    'kbn-xsrf': 'kibana',
   },
   credentials: 'include',
 })
@@ -47,7 +49,7 @@ export class CorsTestPlugin implements Plugin {
 
   async setup(core: CoreSetup) {
     const router = core.http.createRouter();
-    router.get({ path: '/cors-test', validate: false }, (_context, req, res) =>
+    router.post({ path: '/cors-test', validate: false }, (context, req, res) =>
       res.ok({ body: 'content from kibana' })
     );
   }