[4.x] Pass all headers in callWithRequest #7564
Comments
|
Closed by #7592 |
|
While I'm all for consistency, I read through #6221 and it was stated that backporting the headers whitelist would be a breaking change because some people might be relying on all headers being sent through in the proxy. Well... this is even more of a breaking change for anyone using |
|
But while there are Kibana installs that do not leverage callWithRequest (all purely open source installs), there are no Kibana installs that only use callWithRequest. So changing the behavior of callWithRequest makes Kibana consistent, while not doing anything ensures that Kibana is not consistent with shield.
|
|
Regardless of whether or not it makes it consistent, it's a breaking change, and it is causing problems because My suggestion is that we either backport the whitelist behavior for |
|
I think trying to figure out which browser headers to forward or not is error-prone. I think implementing the whitelist as we did in 5.0 is the safer choice. |
|
I don't understand. What behavior is breaking exactly?
|
|
The implementation in this PR passes through all headers, including That's just one specific example but generally speaking, as @lukasolson said, callWithRequest is a not a proxy so we shouldn't try to make it behave like one, when it comes to forwarding headers. |
|
Even with the whitelisting behavior in master, this sounds like a separate bug. That said, I agree that the effect of allowing all headers in 4.x is way worse with this. We should revert it.
|
`v93.3.0`⏩ `v93.4.0` --- ## [`v93.4.0`](https://github.com/elastic/eui/releases/v93.4.0) - Added the following properties to `EuiButtonGroup`'s `options` configs: `toolTipContent`, `toolTipProps`, and `title`. These new properties allow wrapping buttons in `EuiToolTips`, and additionally customizing or disabling the native browser `title` tooltip. ([#7461](elastic/eui#7461)) - Enhanced `EuiResizeObserver` and `useResizeObserver`'s performance to not trigger page reflows on resize event ([#7575](elastic/eui#7575)) - Updated `EuiSuperUpdateButton` to support custom button text via an optional `children` prop ([#7576](elastic/eui#7576)) **Bug fixes** - Fixed `EuiFlyout` to not repeatedly remove/add a body class on resize ([#7462](elastic/eui#7462)) - Fixed `EuiToast` title text to wrap instead of overflowing out of the container ([#7568](elastic/eui#7568)) - Fixed a visual bug with `EuiHeaderBreadcrumbs` with popovers ([#7580](elastic/eui#7580)) **Deprecations** - Deprecated `euiPalettePositive` and `euiPaletteNegative` in favour of a more culturally inclusive `euiPaletteGreen` and `euiPaletteRed` ([#7570](elastic/eui#7570)) - Deprecated all charts theme exports in favor of `@elastic/charts` exports: ([#7572](elastic/eui#7572)) - Deprecated `EUI_CHARTS_THEME_<DARK|LIGHT>` in favor of `<DARK|LIGHT>_THEME` from `@elastic/charts`. ([#7572](elastic/eui#7572)) - Deprecated `EUI_SPARKLINE_THEME_PARTIAL` in favor of `useSparklineOverrides` theme from the kibana `charts` plugin `theme` service. **Accessibility** - Updated `EuiModal` to set an `aria-modal` attribute and a default `dialog` role ([#7564](elastic/eui#7564)) - Updated `EuiConfirmModal` to set a default `alertdialog` role ([#7564](elastic/eui#7564)) - Fixed `EuiModal` and `EuiConfirmModal` to properly trap Safari+VoiceOver's virtual cursor ([#7564](elastic/eui#7564))
To make the behavior consistent with the main proxy, plugin requests through the
callWithRequestservice should send all client headers to ES rather than none.This behavior is going to be reversed in 5.0 in favor of a configurable header whitelist, but in the meantime it might as well be consistent. We can't change the proxy behavior in 4.x because it's a backwards compatibility break, so this is the next best option.
Related to #6221
The text was updated successfully, but these errors were encountered: