Ability to specify CORS accepted origins #16714
Comments
tylersmalley
added
the
Team:Core
|
This also not works Tested on windows 10 for 5.6 It seems adding header via proxy can be a solution currently |
|
Any update on this? But, still getting cross-origin error. |
|
Also, allowing customization of some other CORS properties would be very helpful. |
epixa
added
Team:Core
|
Pinging @elastic/kibana-platform |
|
@tylersmalley Will you consider accepting a PR? |
|
Hi, any updates on this? Would be extremely useful. Thanks. |
|
Hi, I have this configuration on my kibana-yml, server.cors: true And when requesting this endpoint, https://localhost:5601/api/saved_objects/_find?type=dashboard, the response does not add the Access-Control-Allow-Origin Header. Is cors enabled for the kibana Rest API? Thanks |
|
I apologize, it appears this feature was documented in #47701 when it should not have been. It is currently only available in We have not prioritized add this feature yet. If you could explain your usecase for CORS headers, that would help us prioritize accordingly. Thank you! |
|
@joshdover The usecase for CORS headers would be using an iFrame. |
|
Hi @mishat-realityi, could you go in more detail about what you are trying to accomplish? What would help me understand is the user experience you are trying to create, beyond just the technical details. |
|
Sure @joshdover ,
Blocked a frame with origin "http://localhost:5601" from accessing a frame with origin "null"So as results you wouldn't be able to bypass authentication part in iframe until you enable in kibana.yml
This makes iframe with authentication practically unusable. I think it should be documented. I hope it makes sense. |
|
I don't believe the problem you are encountering is a CORS issue. You'll need to start an HTTP server that hosts this file. If you have Node.js installed, I recommend trying out the |
|
Hi @joshdover I believe that the Dashboard "share" idea is to use the Dashboard into other web applications, right? The problem is that if my webapplicatoin user is not logged in Kibana, all the embed dashboard will show will be the login page.. How can I accomplish this? Embed a dashboard into my webpage and not requiring the user to be logged in. One solution that I see people trying is, to make an AJAX request to /api/security/v1/login passing the credentials, so the browser could set the proper cookie, and then redirect to the dashboard URL. Unfortunately this approach doesn't work, and I believe it is because this CORS issue. If this is not the problem, how can I embed a Dashboard into my webapp without requiring the user to login. Here are some threads about this issue: Thanks in advance!
|
|
I have the exact same issue as @rafaelaca |
|
I also have the same problem as @rafaelaca and @gnumoksha. |
|
I also have the same problem. @joshdover do you have any solution or something can I do to solve this? |
|
@joshdover Any development in this issue? I am having the exactly same problem as @rafaelaca |
|
@joshdover I'm experiencing the same problem, this seems to me like a simple enough change and it would be greatly appreciated. |
|
@joshdover exactly same thing for us. please address the cors issue |
I think that would not be enough for actual cors requests, does it? The EDIT: nevermind, just looked as how the xsrf interceptor was working. However, I'm not sure this is a viable option for users that want to allow access to the whole backend (but I lack actual use cases from users to actually be sure this is something that may have an actual usage) |
IMO if they truly want to allow access to the entire backend, then they can be explicit about that via the existing |
|
+1 on renaming Which makes sense, and it was probably not the correct configuration to start with, but it passed validation in v7.8. |
My +1 here. Note that As a result, config is going to look like this: cors: schema.object({
enabled: schema.boolean({ defaultValue: false }),
credentials: schema.boolean({ defaultValue: false }),
origin: schema.oneOf([
schema.literal('*'),
schema.arrayOf(hostURISchema, { minSize: 1 }
],
{
defaultValue: '*',
}),
},{
validate(value) {
if (value.credentials === true && value.origin === '*') {
return 'Cannot specify wildcard origin "*" with "credentials: true". Please provide a list of allowed origins.';
}
},
}),
Also, we need to provide recommendations on xpack.security.sameSiteCookies: None
xpack.security.secureCookies: truewhich will require Secure context to be always on. |
|
@restrry sorry for the delay, catching up from my vacation:
I think CORS setups docs would be good to have regardless of the approach we take here.
I think I'm missing something here. The general recommendation is to provide the
Thanks, I wasn't aware of this. I knew we deprecated using this setting for our own IdP routes, but I didn't know that we're taking this away from users altogether. What is the motivation for removing this setting?
Yep, we should make sure to include these recommendations as part of our docs changes.
If security is disabled, then cookies/credentials shouldn't play a role here, right? There shouldn't be a need to provide the server with credentials if security is disabled. |
Ok, my bad. I thought that you are against advising 3rd party services providing the
It's been discussed at #53823 (comment). I'm fine to remove the deprecation warning if you say so.
Sorry for being unclear here. Secure context === requires HTTPS. from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite:
👍 Should I create an issue for the Core or Docs team? @joshdover @legrego @elastic/kibana-core Can you see any reasons not to provide |
I think this is still a worthwhile configuration option for the more esoteric use cases. We already give admins a way to turn off CSRF protections altogether, so allowing them to turn off protections for a subset of URLs seems like a very reasonable thing to do. @azasypkin any objections to removing the deprecation warning for Actually, perhaps we should keep the deprecation, but instead of saying that this will be removed, we can instead deprecate the current setting in favor of
Ah sorry for the confusion. I think there's two parts to this:
Validations aside, I think your real question was around user guidance and docs. We can make sure to address this as part of the docs writeup for this feature.
I don't see a reason why we can't expose these settings on Cloud. We'll want to make sure it's compatible (i.e., that the proxies won't interfere), but I don't have any concerns with allowing this. I think it would be frustrating for users if we didn't have support on Cloud for this. |
No objections from my side if there is a need for it. I think that was me who suggested to completely remove it since we added it initially just for the SAML use case and I've never heard of any other usage for it since then.
++ |
I respectfully disagree. By requiring that a custom header is specified, it requires that the browser initiate a CORS pre-flight request, that includes the origin and allows us to relax the same-origin restrictions for trusted domains. Adding an endpoint to the
FWIW, I don't think we should be incentivizing the use of this approach to authenticate to Kibana in an |
You're right, sorry for the confusion. Without specifying the
++ I think this is would give us the flexibility that I was envisioning |
|
@jportner would you mind weighing in here to make sure @kobelb and I aren't overlooking anything? To recap, we are proposing to do what Pierre originally suggested by allowing cross-origin requests to specify the Additionally, we are proposing to add a I originally had concerns that allowing |
I think what you recapped makes sense. Our XSRF defense relies on same origin policy, so IMO it should be aligned/relaxed with configurable CORS settings. At this point the only function of the Just to reiterate what @restrry said:
We need to make this clear to admins: when they configure |
👍 @restrry's implementation has a slight permutation on this:
|
🙌 🙌 🙌 |
|
👍 thanks, Joe! |
FWIW, if you meant anonymous authentication provider and not reverse-proxy based "anonymous" access then we do require |
API endpoints with disabled auth?
Kibana refuses to start with an invalid config.
Sure, we can change defaults to allow credentials but require list of allowed cors: schema.object(
{
enabled: schema.boolean({ defaultValue: false }),
credentials: schema.boolean({ defaultValue: true }),
origin: schema.oneOf([schema.literal('*'), schema.arrayOf(hostURISchema)], {
defaultValue: [],
}),
},
{
validate(value) {
if (value.credentials && value.origin === '*') {
return 'Cannot specify wildcard origin "*" with "credentials: true". Please provide a list of allowed origins.';
}
if (value.origin.length === 0) {
return '"origin" must contain at least one valid URL';
}
},
}
),It will throw if
So we should list CSRF protection headers |
I was originally thinking of the anonymous auth provider, but as @azasypkin pointed out, that requires a cookie. But yes this is another use case!
Yes, I was replying with regards to Pierre's proposal above which did not include validation, sorry I missed your newer comment and subsequent PR where you included some validation!
I like it! Edit: I missed the change to default to
|
|
done in #84316 |
|
I modified the |
Why do you think it doesn't work? Do you see any CORS-related errors in the console? |
|
No there are no errors on the console because the http call returns status 204. |
|
@gaetano603 do you know where is http_tools located , can i created a volume for that change in case of docker |
and others
Currently
server.corsaccepts a boolean when in production. Setting this to true, uses*for the accepted origins. Users should be able to specify the origins like we do in dev for Karma['*://localhost:9876']The text was updated successfully, but these errors were encountered: