XSS error with ES 2.3 upgrade

AndreyL · April 4, 2016, 6:02pm

I just upgraded my local environment from ES 2.2 to ES 2.3 and I started getting this error (using searchkit):

XMLHttpRequest cannot load http://localhost:9200/corpus/_search. Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response.

It's reproducible by simply making a jQuery.get() on the url.

I do have the same http settings in config/elasticsearch.yml as in 2.2 instance:

http.cors.enabled: true
http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers: X-Requested-With,X-Auth-Token,Content-Type,Content-Length
http.cors.allow-origin: "*"

Reverting back to 2.2 instance fixes the error. Any ideas why ES 2.3 has this issue?

dadoonet · April 4, 2016, 6:16pm

I wonder if this is caused by this change: https://github.com/elastic/elasticsearch/pull/16436

May be add a comment on this issue?

AndreyL · April 4, 2016, 6:52pm

It looks like that's what is causing the issue. Surprised nobody else caught it yet. I commented on the pull, hopefully someone will see it

Topic		Replies	Views
Configuring Access-Control-Allow-Methods response header? Elasticsearch	3	670	July 6, 2017
No 'Access-Control-Allow-Origin' header is present on requested resource Elasticsearch	1	2533	November 28, 2020
CORS policy error message with ElasticsearchJS (Kibana plugin visualization) Elasticsearch	2	353	March 12, 2019
Header value/HTMLRequest blocked by CORS policy (CORs in Elasticsearch) Elasticsearch	1	1520	June 3, 2019
Get an CORS error When requested elastic search rest API Elasticsearch	3	596	October 26, 2021

XSS error with ES 2.3 upgrade

Related Topics