Kibana v7.6.0 CORS seems not work

Hi, I have tried to enable CORS via kibana.yml and elasticsearch.yml but seems not work because my POST request not start yet because previous OPTIONS started from browser to Kibana endpoint, not receive correct headers for procedeed with POST request.
I have used chrome v80.0.3987.149 for test.

In kibana.yml

server.cors: true
#server.cors.origin: [""]
server.cors.origin: ["*"]
server.cors.additionalHeaders: ["kbn-version","kbn-xsrf","cookie"]
server.cors.credentials: true

In elasticsearch.yml

http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-credentials: true
http.cors.allow-methods: OPTIONS,HEAD,GET,POST,PUT,DELETE
http.cors.allow-headers: kbn-version,kbn-xsrf,Origin,X-Requested-With,Content-Type,Accept,Engaged-Auth-Token,Content-Length,Authorization


OPTIONS /kibana/internal/security/login HTTP/1.1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Sec-Fetch-Dest: empty
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Access-Control-Request-Headers: content-type,kbn-version,kbn-xsrf
Accept: */*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Accept-Encoding: gzip, deflate, br
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7

Response to OPTIONS request (KIBANA --> CLIENT)

HTTP/1.1 200 OK
kbn-name: XXX
kbn-license-sig: XXX
kbn-xpack-sig: XXX
content-type: application/json; charset=utf-8
cache-control: no-cache
content-length: 54
Date: Fri, 03 Apr 2020 18:24:22 GMT
Connection: keep-alive

How to solve? Thank you.

PS: If use "Moesif Origins & CORS Changer" as chrome extension just right configured for scope, all is work properly because this extension provide right headers in response to OPTION by client so client can fire POST request to Kibana endpoint properly

Hi, I just want to know I'm trying out a CORS setup locally in 7.6.0. To help out. I'm not finding the documentation on server.cors settings in Kibana, so I reached out for help on getting a working setup that I can share.

Hi, I have an update. I have found that the documentation of server.cors has been removed from the documentation and customizing CORS is no longer supported for Kibana in "production" mode:

However, it seems that it could still work in dev mode.

Would you mind elaborating on why you're in need of CORS support for Kibana?

Thank you for detail. I have solved with nginx reverse proxy that response of all request cors.

Primarily for embedded some dashboard throught iframe but it is most important for SAST and DAST tests.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.