XSS error with ES 2.3 upgrade

I just upgraded my local environment from ES 2.2 to ES 2.3 and I started getting this error (using searchkit):

XMLHttpRequest cannot load http://localhost:9200/corpus/_search. Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response.

It's reproducible by simply making a jQuery.get() on the url.

I do have the same http settings in config/elasticsearch.yml as in 2.2 instance:

http.cors.enabled: true
http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers: X-Requested-With,X-Auth-Token,Content-Type,Content-Length
http.cors.allow-origin: "*"

Reverting back to 2.2 instance fixes the error. Any ideas why ES 2.3 has this issue?

I wonder if this is caused by this change: https://github.com/elastic/elasticsearch/pull/16436

May be add a comment on this issue?

1 Like

It looks like that's what is causing the issue. Surprised nobody else caught it yet. I commented on the pull, hopefully someone will see it