elasticsearch: Cross-Origin Request Blocked despite configuring http module

Question

I am using version 2.3.2 of elasticsearch. In my elasticsearch.yml file I have added the below lines to allow Cross-Origin requests.

http.cors.enabled: true
http.cors.allow-credentials: true
http.cors.allow-methods: OPTIONS,HEAD,GET,POST,PUT,DELETE
http.cors.max-age: 0
http.cors.allow-origin: /http?:\/\/localhost(:[0-9]+)?/
http.cors.allow-headers : X-Requested-With,X-Auth-Token,Content-Type,Content-Length

However, when i try to execute a query from Firefox, I get the following error;

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote 
resource at http://localhost:9200/someIndex/_search?size=10&from=0. 
(Reason: CORS header 'Access-Control-Allow-Origin' missing).

Replacing the http.cors.allow-origin parameter with "*", seems to work, but the documentation indicates this is a security requests.

The request headers from the browser are below;

Accept - application/json, text/plain, */*
Accept-Encoding - gzip, deflate
Accept-Language - en-US,en;q=0.5
Content-Length - 26
Content-Type - application/json;charset=utf-8
DNT - 1
Host - localhost:9200
Origin - null
User-Agent - Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:44.0) Gecko/20100101 Firefox/44.0

Could someone please suggest what I am doing wrong in the above?

Can you try to write it in double quotes? – alpert Apr 28 '16 at 07:06 — alpert, Apr 28 '16 at 07:06
elasticsearch fails to launch if double quotes are added. – JSB Apr 28 '16 at 07:39 — JSB, Apr 28 '16 at 07:39

score 0 · Answer 1 · answered Apr 28 '16 at 06:56

0

You seem to have a small typo.

It should read

http.cors.allow-origin: /https?:\/\/localhost(:[0-9]+)?/
                             ^
                             |
                          add this

i.e. you're missing the s before the ?, which means "either http or https"

answered Apr 28 '16 at 06:56

Val

207,596
13
358
360

Hi Val - I did try this already actually - nothing seemed to change unfortunately. – JSB Apr 28 '16 at 06:58
I suspect the query is not coming from localhost, but maybe 127.0.0.1, is that possible? Can you check what you see in your Firefox developer tools when the query is sent? What host is the requester using? – Val Apr 28 '16 at 07:15
Added the reqeuste headers above - seems to be using localhost. Also tried using 127.0.0.1 in the yml file, but no good either. – JSB Apr 28 '16 at 07:38
I see `Origin - null`, which is why it's not working in my opinion. `Host` is the target host (i.e. your ES). You're probably loading an HTML page from the local filesystem, is that correct? See http://stackoverflow.com/questions/8456538/origin-null-is-not-allowed-by-access-control-allow-origin – Val Apr 28 '16 at 12:08

elasticsearch: Cross-Origin Request Blocked despite configuring http module

1 Answers1

Linked