0

I am trying to post a request to a local elasticsearch. I have configured the elasticsearch.yml to include:

  http.cors.enabled: true
  http.cors.allow-origin: "*"
  http.cors.allow-headers: "X-Requested-With, Content-Type, Content-Length, Authorization"

I have also tried:

  http.cors.enabled: true
  http.cors.allow-origin: "*"
  http.cors.allow-headers: X-Requested-With, Content-Type, Content-Length, Authorization

When posting a from Postman there are no issues, but when posting from AngularJS I recieve this error: 

XMLHttpRequest cannot load http://localhost:9200/_search/test_index/_search?size=50. Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

The angular code is the following:

$http.post( vm.elasticsearchUrl, query );

var query = {
    index: 'test_index',
    size: 50,
    body: {
      "query": {
        "filtered": {
          "query": {
            "wildcard": {
              "title": "*" + searchTerm + "*"
            }
          },
          "filter": {
            "not": {
              "filter": {
                "terms": {
                  "id": [ 1, 12 ]
                }
              }
            }
          }

        }
      }
    }
  };

-------ANSWER---------

I resolved it by setting Content-Type to undefined, this then removes Content-Type from the request headers.

var promise = $http.post( vm.elasticsearchUrl, query, {
    headers: {
      'Content-Type': undefined
    }
  } );

I am not sure if this is the correct way of doing it, so if anyone has any critique I would love to hear it.

Patidati
  • 1,048
  • 2
  • 12
  • 19
  • Are you intending on firing off request directly to elasticsearch from your client side?! – Callum Linington May 11 '16 at 10:02
  • Uhmmm I was, but this seems to be a bad idea? Is there a reason not to? – Patidati May 11 '16 at 10:03
  • 1
    Well, if you were to have a lot of sensitive information in this dataset then you have given people the opportunity to access all of it. And you have no authentication on the elasticsearch box either, if there was an elasticsearch exploit it would give attackers another wide attack vector... Think of it in the same way as why you don't allow people to send raw SQL to SQL databases – Callum Linington May 11 '16 at 10:16
  • Oh like that, in this case it will not be a problem, there is not any sensitive information on the dataset, but thank you :)! – Patidati May 11 '16 at 10:34
  • Then that's fair enough. You will want to inject into the $httpProvider [interceptors](https://docs.angularjs.org/api/ng/service/$http) to possibly set the cross origin header or put it in the [defaults](https://docs.angularjs.org/api/ng/provider/$httpProvider) – Callum Linington May 11 '16 at 10:38
  • Still getting the same error :/ – Patidati May 11 '16 at 11:08
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/111631/discussion-between-callum-linington-and-patidati). – Callum Linington May 11 '16 at 11:11
  • http://stackoverflow.com/questions/25727306/request-header-field-access-control-allow-headers-is-not-allowed-by-access-contr this is the answer! – Callum Linington May 11 '16 at 11:13
  • I'm sorry to say it did not work, but I found an answer, even though I am not sure if it is a valid way of resolving this issue. I will post it above – Patidati May 11 '16 at 11:44

0 Answers0