CORS issue while connecting with basic auth

[farhan687]

My goal is to access elasticsearch data from other domain, am I missing anything over here?

I set the config in elasticsearch.yml file which looks like this

http.cors.enabled: true
http.cors.allow-origin: "/.*/"
http.cors.allow-credentials: true
http.cors.allow-headers: "Authorization, X-Requested-With, Content-Type, Content-Length"

after set the config I restart elasticsearch

now I want to do xhr call from other domain

var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://127.0.0.1:9200/_search', true);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.setRequestHeader('Authorization', 'Basic ' + btoa('admin:admin'));
xhr.send('{"query":{"match_all":{}}}');

It responds with following error

XMLHttpRequest cannot load http://127.0.0.1:9200/_search. Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response.

[jasontedor]

Would you please provide the information that was requested in the issue template, especially the version of Elasticsearch?

[farhan687]

Hey @jasontedor
It is Elasticsearch Version: 2.3.0, Build: 8371be8/2016-03-29T07:54:48Z, JVM: 1.8.0_101.

[jasontedor]

Duplicates #17483, fixed in 2.3.2. This is why the version information is so important.