Add ability to specify CORS accepted origins #84316
Conversation
mshustov
added
release_note:enhancement
Team:Core
| @@ -445,6 +445,15 @@ deprecation warning at startup. This setting cannot end in a slash (`/`). | |||
| | [[server-compression]] `server.compression.enabled:` | |||
| | Set to `false` to disable HTTP compression for all responses. *Default: `true`* | |||
|
|
|||
| | `server.cors.enabled:` | |||
| | experimental[] Set to `true` to allow cross-origin API calls. *Default:* `false` | |||
There was a problem hiding this comment.
@kobelb We should start with marking it as experimental, I suppose
There was a problem hiding this comment.
If we're marking the old server.cors setting as deprecated, then I'm not sure we should replace it with an experimental setting. Is there a reason to believe this won't be stable enough to mark as GA?
|
Pinging @elastic/kibana-core (Team:Core) |
mshustov
changed the title
x-pack/test/functional_cors/plugins/kibana_cors_test/server/plugin.ts
Outdated
Show resolved
Hide resolved
| it('Communicates to Kibana with configured CORS', async () => { | ||
| const args: string[] = config.get('kbnTestServer.serverArgs'); | ||
| const originSetting = args.find((str) => str.includes('server.cors.origin')); | ||
| if (!originSetting) { | ||
| throw new Error('Cannot find "server.cors.origin" argument'); | ||
| } | ||
| const [, value] = originSetting.split('='); | ||
| const url = JSON.parse(value); | ||
|
|
||
| await browser.navigateTo(url[0]); | ||
| const element = await find.byCssSelector('p'); | ||
| expect(await element.getVisibleText()).to.be('content from kibana'); | ||
| }); |
| it('Communicates to Kibana with configured CORS', async () => { | ||
| const args: string[] = config.get('kbnTestServer.serverArgs'); | ||
| const originSetting = args.find((str) => str.includes('server.cors.origin')); | ||
| if (!originSetting) { | ||
| throw new Error('Cannot find "server.cors.origin" argument'); | ||
| } | ||
| const [, value] = originSetting.split('='); | ||
| const url = JSON.parse(value); | ||
|
|
||
| await browser.navigateTo(url[0]); | ||
| const element = await find.byCssSelector('p'); | ||
| expect(await element.getVisibleText()).to.be('content from kibana'); | ||
| }); |
Co-authored-by: Larry Gregory <[email protected]>
There was a problem hiding this comment.
Thanks for adding this, @restrry.
Without the ability to customize the access-control-allow-headers response header and Kibana not responding to the OPTIONS pre-flights, the user will be limited to the APIs that they can call using CORS. Do we intend to add those in a separate PR, or is there a reason why we shouldn't do so?
@kobelb What kind of API is cannot be used with the current implementation? I can think of |
We shouldn't be adding APIs to the Currently, all non-
FWIW, my prior statement about Kibana not responding to |
|
Thanks for making these changes, @restrry. This is looking great! |
* add settings * update abab package to version with types * add test case for CORS * add tests for cors config * fix jest tests * add deprecation message * tweak deprecation * make test runable on Cloud * add docs * fix type error * add test to throw on invalid URL * address comments * Update src/core/server/http/http_config.test.ts Co-authored-by: Larry Gregory <[email protected]> * Update docs/setup/settings.asciidoc Co-authored-by: Brandon Kobel <[email protected]> * allow kbn-xsrf headers to be set on CORS request Co-authored-by: Larry Gregory <[email protected]> Co-authored-by: Brandon Kobel <[email protected]> # Conflicts: # src/core/server/config/deprecation/core_deprecations.ts # x-pack/scripts/functional_tests.js
* add settings * update abab package to version with types * add test case for CORS * add tests for cors config * fix jest tests * add deprecation message * tweak deprecation * make test runable on Cloud * add docs * fix type error * add test to throw on invalid URL * address comments * Update src/core/server/http/http_config.test.ts Co-authored-by: Larry Gregory <[email protected]> * Update docs/setup/settings.asciidoc Co-authored-by: Brandon Kobel <[email protected]> * allow kbn-xsrf headers to be set on CORS request Co-authored-by: Larry Gregory <[email protected]> Co-authored-by: Brandon Kobel <[email protected]> # Conflicts: # src/core/server/config/deprecation/core_deprecations.ts # x-pack/scripts/functional_tests.js
💚 Build SucceededMetrics [docs]Distributable file count
History
To update your PR or re-run it, just comment with: |
Resolves #16714.
Summary
The current implementation is based on a discussion in the parent issue.
Kibana supports only 3 CORS options at the moment:
server.cors.enabledSet to true to allow cross-origin API calls. Default: falseserver.cors.credentialsSet to true to allow browser code to access response body whenever request performed with user credentials. Default: falseserver.cors.originList of origins permitted to access resources. You must specify server.cors.origin when server.cors.credentials: true. Default: "*"Kibana extend
Access-Control-Allow-Headerslist with the next headers:['Accept', 'Authorization', 'Content-Type', 'If-None-Match', 'kbn-xsrf']Checklist
Delete any items that are not applicable to this PR.
Release Notes
Added experimental support for configuring CORS policy:
server.cors.enabledSet to true to allow cross-origin API calls. Default: falseserver.cors.allowCredentialsSet to true to allow browser code to access response body whenever request performed with user credentials. Default: falseserver.cors.allowOriginList of origins permitted to access resources. You must specifyserver.cors.allowOriginwhenserver.cors.allowCredentials: true. Default: ["*"]