Allow making requests without CORS headers

[andreldm]

This trick is taken from elasticsearch-head, works fine with Chrome but not Firefox, I think the missing part is Content-Security-Policy directive with the script hash which I wasn't able to make work properly.

By the way, awesome project, elasticsearch badly needs a decent UI and this looks promising!

[andreldm]

Ok, forget about CSP, elasticsearch-head for firefox uses the following in the manifest:

"permissions": [
    "http://*/*",
    "https://*/*"
]```

This alone (without `content_scripts`) works for Chrome and Firefox. If you agree, I can update the pull request with this change.

[cars10]

Hi, thank you for contributing to elasticvue. Can you elaborate why you added the content_scripts directive? As far as i know this will result in elasticvue gaining permission to run on every website that the user visits, something that does not make sense for a standalone webapp like elasticvue.

Also this will not change the need for CORS settings as you already mentioned. Sadly i will not add a wildcard permission to elasticvue, please see #14 (comment) for details on the reasons for this.

[andreldm]

Hi, thank you for contributing to elasticvue. Can you elaborate why you added the content_scripts directive? As far as i know this will result in elasticvue gaining permission to run on every website that the user visits, something that does not make sense for a standalone webapp like elasticvue.

Forget about it, the idea was to make it connect without configuring CORS.

Also this will not change the need for CORS settings as you already mentioned. Sadly i will not add a wildcard permission to elasticvue, please see #14 (comment) for details on the reasons for this.

I understand your concern about security, but having to configure CORS is a great downside when using elasticvue, in some cases users won't have access to configure the cluster.
Between having to configure CORS and trusting elasticvue (it's open source after all), I imagine most users would prefer the latter.

If you insist, I'm okay with that, it's your project, but please clarify this stance in the README file, because "You have enable CORS to allow connection to your elasticsearch cluster" sounds more like a technical limitation than a security preference. It also deserves a mention in the comparison page with other frontends.

Lastly, are there plans distribute as an electron app?

[cars10]

Lastly, are there plans distribute as an electron app?

No.

having to configure CORS is a great downside when using elasticvue

I do not agree completely. This is only true if you compare browser extensions, where it is possible to bypass CORS by setting the permissions. You will always have to configure CORS if you use the hosted version or the docker image (the same goes for similar frontends). Right now elasticvue has way more users that use the docker image compared to the sum of browser extension users, so i do not want to focus to much on that right now.

But i agree that it would be way more convenient to not have to configure CORS and just start using elasticvue, i am just not happy with having different usage requirements based on how you use it.

What do you think about my proposal in #14 (comment) , at least allowing requests to any local cluster in the browser extension by default? Would that be a usable compromise for you, or do you think that it wont help much?

[andreldm]

I do not agree completely. This is only true if you compare browser extensions, where it is possible to bypass CORS by setting the permissions. You will always have to configure CORS if you use the hosted version or the docker image (the same goes for similar frontends). Right now elasticvue has way more users that use the docker image compared to the sum of browser extension users, so i do not want to focus to much on that right now.

I'm trying to migrate away from elasticsearch-head, that's how I found elasticvue and thought it would be a nice replacement for me (and about 10 coworkers).

With docker it shouldn't be so hard to solve this, you just need to have a tiny express app proxying requests back and forth ES as well as serving static resources.

But i agree that it would be way more convenient to not have to configure CORS and just start using elasticvue, i am just not happy with having different usage requirements based on how you use it.

While this may be achievable with docker and browser extensions, serving static HTML and letting the browser directly make requests to ES will always have this limitation, so it's a trade-off between homogeneous (crippled) experiences and having a caveat for one way of running elasticvue.

What do you think about my proposal in #14 (comment) , at least allowing requests to any local cluster in the browser extension by default? Would that be a usable compromise for you, or do you think that it wont help much?

It helps for local development instances, my team also needs to browser shared clusters, some are in local servers (e.g. 192.168.x.x) others are on the cloud which we don't have permissions to enable CORS. It certainly helps but it's far from solving the problem.

[cars10]

With docker it shouldn't be so hard to solve this, you just need to have a tiny express app proxying requests back and forth ES as well as serving static resources.

Won't this have the same CORS restrictions again? The express app would need to send a wildcard CORS header to support all imaginable docker setups (because of host/port), with the result that you are again exposing your elasticsearch cluster to every website that you open - this would be way worse then the current situation. Or am i missing something here?

Thank you for the discussion so far!

[cars10]

As per 6a2c713 i have removed the requirement to setup CORS when using browser extensions. I will release a new version in the next few days.

[andreldm]

Won't this have the same CORS restrictions again? The express app would need to send a wildcard CORS header to support all imaginable docker setups (because of host/port), with the result that you are again exposing your elasticsearch cluster to every website that you open - this would be way worse then the current situation. Or am i missing something here?

No, node is not a browser that enforces CORS, here is a proof of concept: https://gist.github.com/andreldm/ad3f9f1790ff2c8d51b63fd82ca8d9c9

Thank you for the discussion so far!

No, thank you :)

As per 6a2c713 i have removed the requirement to setup CORS when using browser extensions. I will release a new version in the next few days.

I'm glad to hear this, once it gets published I'll ping my coworkers, so expect future feedback.

[cars10]

FYI: I published a new version on the weekend, but it is not yet available in the stores for edge and chrome. Seems like COVID-19 might be a slow down, also they manually check each extension when the permissions are changed, so it could really take a few more days or even weeks until they approve it.

[andreldm]

For Firefox it's been updated and I'm using it, thanks again!