Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Allow to configure CORS allow-credentials header to work via SSL #7059

Merged
merged 1 commit into from Aug 5, 2014
Merged

Security: Allow to configure CORS allow-credentials header to work via SSL #7059

merged 1 commit into from Aug 5, 2014

Conversation

spinscale
Copy link
Contributor

This adds support to return the "Access-Control-Allow-Credentials" header
if needed, so CORS will work flawlessly with authenticated applications.

Closes #6380

@erikringsmuth
Copy link
Contributor

I pulled this code and ran it locally. I can confirm it fixes the issue. Thanks @spinscale!

s1monw
s1monw reviewed Jul 29, 2014
View reviewed changes
src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java
@@ -112,6 +112,10 @@ public void sendResponse(RestResponse response) {
resp.headers().add(ACCESS_CONTROL_ALLOW_METHODS, transport.settings().get("http.cors.allow-methods", "OPTIONS, HEAD, GET, POST, PUT, DELETE"));
resp.headers().add(ACCESS_CONTROL_ALLOW_HEADERS, transport.settings().get("http.cors.allow-headers", "X-Requested-With, Content-Type, Content-Length"));
}

if (transport.settings().getAsBoolean("http.cors.allow-credentials", false)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we use a constant here?

@s1monw s1monw removed the review label Jul 29, 2014
@s1monw
Copy link
Contributor

s1monw commented Jul 29, 2014

left some minor comments

@spinscale
Copy link
Contributor Author

made all the CORS configuration options constants in NettyHttpServerTransport

@kimchy
Copy link
Member

kimchy commented Aug 5, 2014

LGTM

@spinscale
CORS: Allowed to configure allow-credentials header to work via SSL
35e67c8 
This adds support to return the "Access-Control-Allow-Credentials" header
if needed, so CORS will work flawlessly with authenticated applications.

Closes elastic#6380
@spinscale spinscale merged commit 35e67c8 into elastic:master Aug 5, 2014
@clintongormley clintongormley changed the title CORS: Allowed to configure allow-credentials header to work via SSL Security: Allow to configure CORS allow-credentials header to work via SSL Sep 10, 2014
@clintongormley clintongormley added :Core/Infra/REST API REST infrastructure and utilities :Core/Infra/Settings Settings infrastructure and APIs and removed :Core/Infra/REST API REST infrastructure and utilities labels Jun 7, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
:Core/Infra/Settings Settings infrastructure and APIs >enhancement v1.4.0.Beta1 v2.0.0-beta1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CORS: Allowed to configure allow-credentials header to work via SSL
5 participants
@spinscale @erikringsmuth @s1monw @kimchy @clintongormley