Add ability to specify CORS accepted origins#84316
Conversation
| | Set to `false` to disable HTTP compression for all responses. *Default: `true`* | ||
|
|
||
| | `server.cors.enabled:` | ||
| | experimental[] Set to `true` to allow cross-origin API calls. *Default:* `false` |
There was a problem hiding this comment.
@kobelb We should start with marking it as experimental, I suppose
There was a problem hiding this comment.
If we're marking the old server.cors setting as deprecated, then I'm not sure we should replace it with an experimental setting. Is there a reason to believe this won't be stable enough to mark as GA?
|
Pinging @elastic/kibana-core (Team:Core) |
x-pack/test/functional_cors/plugins/kibana_cors_test/server/plugin.ts
Outdated
Show resolved
Hide resolved
| it('Communicates to Kibana with configured CORS', async () => { | ||
| const args: string[] = config.get('kbnTestServer.serverArgs'); | ||
| const originSetting = args.find((str) => str.includes('server.cors.origin')); | ||
| if (!originSetting) { | ||
| throw new Error('Cannot find "server.cors.origin" argument'); | ||
| } | ||
| const [, value] = originSetting.split('='); | ||
| const url = JSON.parse(value); | ||
|
|
||
| await browser.navigateTo(url[0]); | ||
| const element = await find.byCssSelector('p'); | ||
| expect(await element.getVisibleText()).to.be('content from kibana'); | ||
| }); |
|
ACK: Will review later today or tomorrow |
| | Set to `false` to disable HTTP compression for all responses. *Default: `true`* | ||
|
|
||
| | `server.cors.enabled:` | ||
| | experimental[] Set to `true` to allow cross-origin API calls. *Default:* `false` |
There was a problem hiding this comment.
If we're marking the old server.cors setting as deprecated, then I'm not sure we should replace it with an experimental one. Is there a reason to believe this won't be stable enough to mark as GA?
There was a problem hiding this comment.
FWIW, the old server.cors setting could only be set when running Kibana from source, so we can just delete it if we want.
There was a problem hiding this comment.
that's correct. from #16714 (comment)
I apologize, it appears this feature was documented in #47701 when it should not have been. It is currently only available in dev mode which cannot be enabled in production builds.
We can mark it as GA, but it means that we won't be able to introduce any breaking changes if needed.
The experimental tag can be removed in v8.x after a trial.
There was a problem hiding this comment.
Gotcha - I don't have any objections to marking as experimental or beta then
| | Set to `false` to disable HTTP compression for all responses. *Default: `true`* | ||
|
|
||
| | `server.cors.enabled:` | ||
| | experimental[] Set to `true` to allow cross-origin API calls. *Default:* `false` |
There was a problem hiding this comment.
If we're marking the old server.cors setting as deprecated, then I'm not sure we should replace it with an experimental setting. Is there a reason to believe this won't be stable enough to mark as GA?
| it('Communicates to Kibana with configured CORS', async () => { | ||
| const args: string[] = config.get('kbnTestServer.serverArgs'); | ||
| const originSetting = args.find((str) => str.includes('server.cors.origin')); | ||
| if (!originSetting) { | ||
| throw new Error('Cannot find "server.cors.origin" argument'); | ||
| } | ||
| const [, value] = originSetting.split('='); | ||
| const url = JSON.parse(value); | ||
|
|
||
| await browser.navigateTo(url[0]); | ||
| const element = await find.byCssSelector('p'); | ||
| expect(await element.getVisibleText()).to.be('content from kibana'); | ||
| }); |
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
There was a problem hiding this comment.
Thanks for adding this, @restrry.
Without the ability to customize the access-control-allow-headers response header and Kibana not responding to the OPTIONS pre-flights, the user will be limited to the APIs that they can call using CORS. Do we intend to add those in a separate PR, or is there a reason why we shouldn't do so?
Co-authored-by: Brandon Kobel <brandon.kobel@gmail.com>
@kobelb What kind of API is cannot be used with the current implementation? I can think of |
We shouldn't be adding APIs to the Currently, all non-
FWIW, my prior statement about Kibana not responding to |
|
Thanks for making these changes, @restrry. This is looking great! |
* add settings * update abab package to version with types * add test case for CORS * add tests for cors config * fix jest tests * add deprecation message * tweak deprecation * make test runable on Cloud * add docs * fix type error * add test to throw on invalid URL * address comments * Update src/core/server/http/http_config.test.ts Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Update docs/setup/settings.asciidoc Co-authored-by: Brandon Kobel <brandon.kobel@gmail.com> * allow kbn-xsrf headers to be set on CORS request Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: Brandon Kobel <brandon.kobel@gmail.com> # Conflicts: # src/core/server/config/deprecation/core_deprecations.ts # x-pack/scripts/functional_tests.js
* add settings * update abab package to version with types * add test case for CORS * add tests for cors config * fix jest tests * add deprecation message * tweak deprecation * make test runable on Cloud * add docs * fix type error * add test to throw on invalid URL * address comments * Update src/core/server/http/http_config.test.ts Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Update docs/setup/settings.asciidoc Co-authored-by: Brandon Kobel <brandon.kobel@gmail.com> * allow kbn-xsrf headers to be set on CORS request Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: Brandon Kobel <brandon.kobel@gmail.com> # Conflicts: # src/core/server/config/deprecation/core_deprecations.ts # x-pack/scripts/functional_tests.js
💚 Build SucceededMetrics [docs]Distributable file count
History
To update your PR or re-run it, just comment with: |
Resolves #16714.
Summary
The current implementation is based on a discussion in the parent issue.
Kibana supports only 3 CORS options at the moment:
server.cors.enabledSet to true to allow cross-origin API calls. Default: falseserver.cors.credentialsSet to true to allow browser code to access response body whenever request performed with user credentials. Default: falseserver.cors.originList of origins permitted to access resources. You must specify server.cors.origin when server.cors.credentials: true. Default: "*"Kibana extend
Access-Control-Allow-Headerslist with the next headers:['Accept', 'Authorization', 'Content-Type', 'If-None-Match', 'kbn-xsrf']Checklist
Delete any items that are not applicable to this PR.
Release Notes
Added experimental support for configuring CORS policy:
server.cors.enabledSet to true to allow cross-origin API calls. Default: falseserver.cors.allowCredentialsSet to true to allow browser code to access response body whenever request performed with user credentials. Default: falseserver.cors.allowOriginList of origins permitted to access resources. You must specifyserver.cors.allowOriginwhenserver.cors.allowCredentials: true. Default: ["*"]