elastic
diff --git a/‎docs/setup/settings.asciidoc‎
Lines changed: 9 additions & 0 deletions b/‎docs/setup/settings.asciidoc‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 1 deletion b/‎package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/core/server/config/deprecation/core_deprecations.test.ts‎
Lines changed: 26 additions & 0 deletions b/‎src/core/server/config/deprecation/core_deprecations.test.ts‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎src/core/server/config/deprecation/core_deprecations.ts‎
Lines changed: 12 additions & 0 deletions b/‎src/core/server/config/deprecation/core_deprecations.ts‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎src/core/server/http/__snapshots__/http_config.test.ts.snap‎
Lines changed: 5 additions & 1 deletion b/‎src/core/server/http/__snapshots__/http_config.test.ts.snap‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎src/core/server/http/cookie_session_storage.test.ts‎
Lines changed: 3 additions & 0 deletions b/‎src/core/server/http/cookie_session_storage.test.ts‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/core/server/http/http_config.test.ts‎
Lines changed: 53 additions & 0 deletions b/‎src/core/server/http/http_config.test.ts‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎src/core/server/http/http_config.ts‎
Lines changed: 25 additions & 3 deletions b/‎src/core/server/http/http_config.ts‎
Lines changed: 25 additions & 3 deletions
diff --git a/‎src/core/server/http/http_server.test.ts‎
Lines changed: 3 additions & 0 deletions b/‎src/core/server/http/http_server.test.ts‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/core/server/http/http_tools.test.ts‎
Lines changed: 23 additions & 0 deletions b/‎src/core/server/http/http_tools.test.ts‎
Lines changed: 23 additions & 0 deletions
@@ -450,6 +450,15 @@ deprecation warning at startup. This setting cannot end in a slash (`/`).
 | [[server-compression]] `server.compression.enabled:`
  | Set to `false` to disable HTTP compression for all responses. *Default: `true`*
 
+| `server.cors.enabled:`
+ | experimental[] Set to `true` to allow cross-origin API calls. *Default:* `false`
+
+| `server.cors.credentials:`
+ | experimental[] Set to `true` to allow browser code to access response body whenever request performed with user credentials. *Default:* `false`
+
+| `server.cors.origin:`
+ | experimental[] List of origins permitted to access resources. You must specify explicit hostnames and not use `*` for `server.cors.origin` when `server.cors.credentials: true`. *Default:* "*"
+
 | `server.compression.referrerWhitelist:`
  | Specifies an array of trusted hostnames, such as the {kib} host, or a reverse
 proxy sitting in front of it. This determines whether HTTP compression may be used for responses, based on the request `Referer` header.
 
@@ -570,7 +570,7 @@
     "@typescript-eslint/parser": "^4.8.1",
     "@welldone-software/why-did-you-render": "^5.0.0",
     "@yarnpkg/lockfile": "^1.1.0",
-    "abab": "^1.0.4",
+    "abab": "^2.0.4",
     "angular-aria": "^1.8.0",
     "angular-mocks": "^1.7.9",
     "angular-recursion": "^1.0.5",
 
@@ -94,6 +94,32 @@ describe('core deprecations', () => {
     });
   });
 
+  describe('server.cors', () => {
+    it('renames server.cors to server.cors.enabled', () => {
+      const { migrated } = applyCoreDeprecations({
+        server: { cors: true },
+      });
+      expect(migrated.server.cors).toEqual({ enabled: true });
+    });
+    it('logs a warning message about server.cors renaming', () => {
+      const { messages } = applyCoreDeprecations({
+        server: { cors: true },
+      });
+      expect(messages).toMatchInlineSnapshot(`
+        Array [
+          "\\"server.cors\\" is deprecated and has been replaced by \\"server.cors.enabled\\"",
+        ]
+      `);
+    });
+    it('does not log deprecation message when server.cors.enabled set', () => {
+      const { migrated, messages } = applyCoreDeprecations({
+        server: { cors: { enabled: true } },
+      });
+      expect(migrated.server.cors).toEqual({ enabled: true });
+      expect(messages.length).toBe(0);
+    });
+  });
+
   describe('rewriteBasePath', () => {
     it('logs a warning is server.basePath is set and server.rewriteBasePath is not', () => {
       const { messages } = applyCoreDeprecations({
 
@@ -50,6 +50,17 @@ const rewriteBasePathDeprecation: ConfigDeprecation = (settings, fromPath, log)
   return settings;
 };
 
+const rewriteCorsSettings: ConfigDeprecation = (settings, fromPath, log) => {
+  const corsSettings = get(settings, 'server.cors');
+  if (typeof get(settings, 'server.cors') === 'boolean') {
+    log('"server.cors" is deprecated and has been replaced by "server.cors.enabled"');
+    settings.server.cors = {
+      enabled: corsSettings,
+    };
+  }
+  return settings;
+};
+
 const cspRulesDeprecation: ConfigDeprecation = (settings, fromPath, log) => {
   const NONCE_STRING = `{nonce}`;
   // Policies that should include the 'self' source
@@ -142,6 +153,7 @@ export const coreDeprecationProvider: ConfigDeprecationProvider = ({
   renameFromRoot('server.xsrf.whitelist', 'server.xsrf.allowlist'),
   unusedFromRoot('elasticsearch.preserveHost'),
   unusedFromRoot('elasticsearch.startupTimeout'),
+  rewriteCorsSettings,
   configPathDeprecation,
   dataPathDeprecation,
   rewriteBasePathDeprecation,
 
@@ -68,6 +68,9 @@ configService.atPath.mockImplementation((path) => {
         allowFromAnyIp: true,
         ipAllowlist: [],
       },
+      cors: {
+        enabled: false,
+      },
     } as any);
   }
   if (path === 'externalUrl') {
 
@@ -330,6 +330,59 @@ describe('with compression', () => {
   });
 });
 
+describe('cors', () => {
+  describe('origin', () => {
+    it('list cannot be empty', () => {
+      expect(() =>
+        config.schema.validate({
+          cors: {
+            origin: [],
+          },
+        })
+      ).toThrowErrorMatchingInlineSnapshot(`
+              "[cors.origin]: types that failed validation:
+              - [cors.origin.0]: expected value to equal [*]
+              - [cors.origin.1]: array size is [0], but cannot be smaller than [1]"
+          `);
+    });
+
+    it('list of valid URLs', () => {
+      const origin = ['http://127.0.0.1:3000', 'https://elastic.co'];
+      expect(
+        config.schema.validate({
+          cors: { origin },
+        }).cors.origin
+      ).toStrictEqual(origin);
+
+      expect(() =>
+        config.schema.validate({
+          cors: {
+            origin: ['*://elastic.co/*'],
+          },
+        })
+      ).toThrow();
+    });
+
+    it('can be configured as "*" wildcard', () => {
+      expect(config.schema.validate({ cors: { origin: '*' } }).cors.origin).toBe('*');
+    });
+  });
+  describe('credentials', () => {
+    it('cannot use wildcard origin if "credentials: true"', () => {
+      expect(
+        () => config.schema.validate({ cors: { credentials: true, origin: '*' } }).cors.origin
+      ).toThrowErrorMatchingInlineSnapshot(
+        `"[cors]: Cannot specify wildcard origin \\"*\\" with \\"credentials: true\\". Please provide a list of allowed origins."`
+      );
+      expect(
+        () => config.schema.validate({ cors: { credentials: true } }).cors.origin
+      ).toThrowErrorMatchingInlineSnapshot(
+        `"[cors]: Cannot specify wildcard origin \\"*\\" with \\"credentials: true\\". Please provide a list of allowed origins."`
+      );
+    });
+  });
+});
+
 describe('HttpConfig', () => {
   it('converts customResponseHeaders to strings or arrays of strings', () => {
     const httpSchema = config.schema;
 
@@ -27,7 +27,7 @@ import { SslConfig, sslSchema } from './ssl_config';
 
 const validBasePathRegex = /^\/.*[^\/]$/;
 const uuidRegexp = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-5][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
-
+const hostURISchema = schema.uri({ scheme: ['http', 'https'] });
 const match = (regex: RegExp, errorMsg: string) => (str: string) =>
   regex.test(str) ? undefined : errorMsg;
 
@@ -45,7 +45,25 @@ export const config = {
           validate: match(validBasePathRegex, "must start with a slash, don't end with one"),
         })
       ),
-      cors: schema.boolean({ defaultValue: false }),
+      cors: schema.object(
+        {
+          enabled: schema.boolean({ defaultValue: false }),
+          credentials: schema.boolean({ defaultValue: false }),
+          origin: schema.oneOf(
+            [schema.literal('*'), schema.arrayOf(hostURISchema, { minSize: 1 })],
+            {
+              defaultValue: '*',
+            }
+          ),
+        },
+        {
+          validate(value) {
+            if (value.credentials === true && value.origin === '*') {
+              return 'Cannot specify wildcard origin "*" with "credentials: true". Please provide a list of allowed origins.';
+            }
+          },
+        }
+      ),
       customResponseHeaders: schema.recordOf(schema.string(), schema.any(), {
         defaultValue: {},
       }),
@@ -148,7 +166,11 @@ export class HttpConfig {
   public keepaliveTimeout: number;
   public socketTimeout: number;
   public port: number;
-  public cors: boolean | { origin: string[] };
+  public cors: {
+    enabled: boolean;
+    credentials: boolean;
+    origin: '*' | string[];
+  };
   public customResponseHeaders: Record<string, string | string[]>;
   public maxPayload: ByteSizeValue;
   public basePath?: string;
 
@@ -72,6 +72,9 @@ beforeEach(() => {
       allowFromAnyIp: true,
       ipAllowlist: [],
     },
+    cors: {
+      enabled: false,
+    },
   } as any;
 
   configWithSSL = {
 
@@ -102,6 +102,9 @@ describe('timeouts', () => {
       host: '127.0.0.1',
       maxPayload: new ByteSizeValue(1024),
       ssl: {},
+      cors: {
+        enabled: false,
+      },
       compression: { enabled: true },
       requestId: {
         allowFromAnyIp: true,
@@ -187,6 +190,26 @@ describe('getServerOptions', () => {
       }
     `);
   });
+
+  it('properly configures CORS when cors enabled', () => {
+    const httpConfig = new HttpConfig(
+      config.schema.validate({
+        cors: {
+          enabled: true,
+          credentials: false,
+          origin: '*',
+        },
+      }),
+      {} as any,
+      {} as any
+    );
+
+    expect(getServerOptions(httpConfig).routes?.cors).toEqual({
+      credentials: false,
+      origin: '*',
+      headers: ['Accept', 'Authorization', 'Content-Type', 'If-None-Match', 'kbn-xsrf'],
+    });
+  });
 });
 
 describe('getRequestId', () => {