Login API CORS issue with localhost


(Sanjana Badam) #1

Hi, we are working with elastic search and kibana.
We have them on different servers. We need to embed the kibana dashboard in an iframe in our react page.
We are trying to auto-login by making an API call (/api/security/v1/login) to the kibana server but then we are getting this issue:
Fetch API cannot load http://10.33.178.146:5601/api/security/v1/login. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
We have set:

http.cors.allow-origin: "/.*/"
http.cors.allow-credentials: true```
in elasticsearch.yml
and also:
```server.cors: true
server.cors.origin: "/.*/"```
in kibana.yml and we are still getting the same error when we run the code on our localhost.
We also tried `http.cors.allow-origin: "*"` and `server.cors.origin: "*"` and it didn't work. :(
Is there something we are missing?

These are the headers we are setting when we make the HTTP POST call:
```"Content-Type": "multipart/form-data",
          "Content-Length": Buffer.byteLength(body),
          "kbn-version": "5.5.0"```

P.S: It works fine with postman.

(Jon Budzenski) #2

I believe you want server.cors.origin to be an array.

If you want any origin, server.cors.origin: ['*']

We're using hapi behind the scenes here (defaulted to off). For reference, the cors object under https://hapijs.com/api/14.2.0#route-configuration. I don't see this documented on our site so let me know if that works for you and I'll get a fix up.


(Sanjana Badam) #3

I have tried that too and it didn't work :pensive:


(Sanjana Badam) #4

This issue got fixed by adding:
cors: { additionalHeaders: ['kbn-version','cookie'], origin: ['*'] },
to
kibana/src/server/http/setup_connection.js


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.