Login API CORS issue with localhost

Hi, we are working with elastic search and kibana.
We have them on different servers. We need to embed the kibana dashboard in an iframe in our react page.
We are trying to auto-login by making an API call (/api/security/v1/login) to the kibana server but then we are getting this issue:
Fetch API cannot load http://10.33.178.146:5601/api/security/v1/login. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
We have set:

http.cors.allow-origin: "/.*/"
http.cors.allow-credentials: true```
in elasticsearch.yml
and also:
```server.cors: true
server.cors.origin: "/.*/"```
in kibana.yml and we are still getting the same error when we run the code on our localhost.
We also tried `http.cors.allow-origin: "*"` and `server.cors.origin: "*"` and it didn't work. :(
Is there something we are missing?

These are the headers we are setting when we make the HTTP POST call:
```"Content-Type": "multipart/form-data",
          "Content-Length": Buffer.byteLength(body),
          "kbn-version": "5.5.0"```

P.S: It works fine with postman.

I believe you want server.cors.origin to be an array.

If you want any origin, server.cors.origin: ['*']

We're using hapi behind the scenes here (defaulted to off). For reference, the cors object under https://hapijs.com/api/14.2.0#route-configuration. I don't see this documented on our site so let me know if that works for you and I'll get a fix up.

I have tried that too and it didn't work :pensive:

This issue got fixed by adding:
cors: { additionalHeaders: ['kbn-version','cookie'], origin: ['*'] },
to
kibana/src/server/http/setup_connection.js

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.