Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’

Hi, I am in a process of learning how to use Elastic, Kibana and a simple create-react-app project with OpenTelemetry to monitor a react application. After setting up Elastic, Kibana and instrumenting OpenTelemetry I am running into an issue when trying to send data:

"Access to XMLHttpRequest at 'http://localhost:8200/' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

I am using Elastic v7.15.0, Kibana v7.15.0, Elastic agent 7.15.0 and OpenTelemetry.

My CORS configuration in elasticsearch.yml is:
http.cors.enabled: true
http.cors.allow-origin: "/.*/"
http.cors.allow-credentials: true
http.cors.allow-headers: "X-Requested-With,Content-Type,Content-Length,Authorization,x-proxy-user"

The OPTIONS request passes but POST fails.


Request:
curl 'http://localhost:8200/'
-H 'sec-ch-ua: "Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"'
-H 'sec-ch-ua-mobile: ?0'
-H 'authorization: Bearer test'
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36'
-H 'Content-Type: application/json, application/x-www-form-urlencoded'
-H 'Accept: application/json'
-H 'Referer: http://localhost:3000/'
-H 'sec-ch-ua-platform: "macOS"'
--data-raw '{"resourceSpans":[{"resource":{"attributes":[{"key":"service.name","value":{"stringValue":"frontend-js"}},{"key":"telemetry.sdk.language","value":{"stringValue":"webjs"}},{"key":"telemetry.sdk.name","value":{"stringValue":"opentelemetry"}},{"key":"telemetry.sdk.version","value":{"stringValue":"1.18.1"}}],"droppedAttributesCount":0},"scopeSpans":[{"scope":{"name":"@opentelemetry/instrumentation-user-interaction","version":"0.33.2"},"spans":[{"traceId":"fd9cc65e70d1f4707021d5d6d0ad4d23","spanId":"efc994f38b519556","name":"click","kind":1,"startTimeUnixNano":"1701269706118000000","endTimeUnixNano":"1701269706118300000","attributes":[{"key":"event_type","value":{"stringValue":"click"}},{"key":"target_element","value":{"stringValue":"HEADER"}},{"key":"target_xpath","value":{"stringValue":"//html/body/div/div/header"}},{"key":"http.url","value":{"stringValue":"http://localhost:3000/"}}],"droppedAttributesCount":0,"events":[],"droppedEventsCount":0,"status":{"code":0},"links":[],"droppedLinksCount":0}]}]}]}'
--compressed

Any suggestions of what might be the issue?

Hi,

it's possible that you have to add in elasticsearch.yml:

http.cors.allow-methods: OPTIONS, POST

Set up CORS for Behavioral Analytics | Elasticsearch Guide [8.12] | Elastic

Regards