No 'Access-Control-Allow-Origin' header is present on requested resource

aideveloper · October 31, 2020, 10:02pm

Our elasticsearch setup has the following cors settings in elasticsearch.yml:

http.cors.enabled: true
http.cors.allow-credentials: true
http.cors.allow-origin: "*"
http.cors.allow-methods: OPTIONS,HEAD,GET,POST,PUT,DELETE
http.cors.allow-headers: "X-Requested-With,Content-Type,Content-Length,x-user"

If we run the following curl command on our server:

curl -H "User-Agent: Mozilla" -H "Origin: http://example.com" -i localhost:9200

we get the correct headers:

HTTP/1.1 200 OK
content-type: application/json; charset=UTF-8
content-length: 533
access-control-allow-origin: *
access-control-allow-credentials: true

However, when we load our webpage with the following ajax call:

var postData = {
"size": 50,
"query": {
  "multi_match": {
    "query": request.term.toLowerCase(),
    "type": "bool_prefix",
    "fields": [
      "product",
      "product._2gram",
      "product._3gram"
    ]
  }
}
};
$.ajax({
url: "http://localhost:9200/products/_doc/_search",
type: "GET",
headers: {"X-User": "user"},
contentType: "application/json; charset=utf-8",
data: JSON.stringify(postData),
dataType: 'json',            
success: function (data) {
  console.log(data);
  var hitsJson = (data.hits.hits);
  for (var key in hitsJson) {
    arr.push(hitsJson[key]._source.product);
  }
  response(arr);
  console.log(arr);
},
error: function (xhr) {
  alert("err");
  alert(JSON.stringify(xhr));
}

});

we receive an error:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

and the response headers are missing "access-control-allow-origin: *", this is the response:

Allow: DELETE,POST,PUT,HEAD,GET
content-length: 0
content-type: text/plain; charset=UTF-8

Request headers are as follows:

Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,de;q=0.7
Access-Control-Request-Headers: content-type,x-user
Access-Control-Request-Method: POST
Connection: keep-alive
Host: localhost:9200This text will be hidden
Origin: http://our_IP
Referer: http://our_IP/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/86.0.4240.111 Safari/537.36

The webpage with above ajax works fine and we obtain json data with correct response headers - access-control-allow-origin: *, if we add "network.host: our_IP" in elasticsearch.yml and change "url: "http://localhost:9200/products/_doc/_search"
in above ajax call to "url: "http://our_IP:9200/products/_doc/_search".

But if possible we would prefer to not use the "network.host: our_IP" option in elasticsearch.yml.

We would be very grateful if somebody could help us on this problem.

system · November 28, 2020, 10:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.