Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow making requests without CORS headers #17

Closed
wants to merge 1 commit into from
Closed

Allow making requests without CORS headers #17

wants to merge 1 commit into from

Conversation

andreldm
Copy link

@andreldm andreldm commented Mar 17, 2020
edited
Loading

This trick is taken from elasticsearch-head, works fine with Chrome but not Firefox, I think the missing part is Content-Security-Policy directive with the script hash which I wasn't able to make work properly.

By the way, awesome project, elasticsearch badly needs a decent UI and this looks promising!

@andreldm
Copy link
Author

Ok, forget about CSP, elasticsearch-head for firefox uses the following in the manifest:

"permissions": [
    "http:https://*/*",
    "https://*/*"
]```

This alone (without `content_scripts`) works for Chrome and Firefox. If you agree, I can update the pull request with this change.

@cars10
Copy link
Owner

cars10 commented Mar 17, 2020

Hi, thank you for contributing to elasticvue. Can you elaborate why you added the content_scripts directive? As far as i know this will result in elasticvue gaining permission to run on every website that the user visits, something that does not make sense for a standalone webapp like elasticvue.

Also this will not change the need for CORS settings as you already mentioned. Sadly i will not add a wildcard permission to elasticvue, please see #14 (comment) for details on the reasons for this.

@andreldm
Copy link
Author

Hi, thank you for contributing to elasticvue. Can you elaborate why you added the content_scripts directive? As far as i know this will result in elasticvue gaining permission to run on every website that the user visits, something that does not make sense for a standalone webapp like elasticvue.

Forget about it, the idea was to make it connect without configuring CORS.

Also this will not change the need for CORS settings as you already mentioned. Sadly i will not add a wildcard permission to elasticvue, please see #14 (comment) for details on the reasons for this.

I understand your concern about security, but having to configure CORS is a great downside when using elasticvue, in some cases users won't have access to configure the cluster.
Between having to configure CORS and trusting elasticvue (it's open source after all), I imagine most users would prefer the latter.

If you insist, I'm okay with that, it's your project, but please clarify this stance in the README file, because "You have enable CORS to allow connection to your elasticsearch cluster" sounds more like a technical limitation than a security preference. It also deserves a mention in the comparison page with other frontends.

Lastly, are there plans distribute as an electron app?

@cars10
Copy link
Owner

cars10 commented Mar 17, 2020

Lastly, are there plans distribute as an electron app?

No.

having to configure CORS is a great downside when using elasticvue

I do not agree completely. This is only true if you compare browser extensions, where it is possible to bypass CORS by setting the permissions. You will always have to configure CORS if you use the hosted version or the docker image (the same goes for similar frontends). Right now elasticvue has way more users that use the docker image compared to the sum of browser extension users, so i do not want to focus to much on that right now.

But i agree that it would be way more convenient to not have to configure CORS and just start using elasticvue, i am just not happy with having different usage requirements based on how you use it.

What do you think about my proposal in #14 (comment) , at least allowing requests to any local cluster in the browser extension by default? Would that be a usable compromise for you, or do you think that it wont help much?

@andreldm
Copy link
Author

I do not agree completely. This is only true if you compare browser extensions, where it is possible to bypass CORS by setting the permissions. You will always have to configure CORS if you use the hosted version or the docker image (the same goes for similar frontends). Right now elasticvue has way more users that use the docker image compared to the sum of browser extension users, so i do not want to focus to much on that right now.

I'm trying to migrate away from elasticsearch-head, that's how I found elasticvue and thought it would be a nice replacement for me (and about 10 coworkers).

With docker it shouldn't be so hard to solve this, you just need to have a tiny express app proxying requests back and forth ES as well as serving static resources.

But i agree that it would be way more convenient to not have to configure CORS and just start using elasticvue, i am just not happy with having different usage requirements based on how you use it.

While this may be achievable with docker and browser extensions, serving static HTML and letting the browser directly make requests to ES will always have this limitation, so it's a trade-off between homogeneous (crippled) experiences and having a caveat for one way of running elasticvue.

What do you think about my proposal in #14 (comment) , at least allowing requests to any local cluster in the browser extension by default? Would that be a usable compromise for you, or do you think that it wont help much?

It helps for local development instances, my team also needs to browser shared clusters, some are in local servers (e.g. 192.168.x.x) others are on the cloud which we don't have permissions to enable CORS. It certainly helps but it's far from solving the problem.

@cars10
Copy link
Owner

cars10 commented Mar 17, 2020

With docker it shouldn't be so hard to solve this, you just need to have a tiny express app proxying requests back and forth ES as well as serving static resources.

Won't this have the same CORS restrictions again? The express app would need to send a wildcard CORS header to support all imaginable docker setups (because of host/port), with the result that you are again exposing your elasticsearch cluster to every website that you open - this would be way worse then the current situation. Or am i missing something here?

Thank you for the discussion so far!

@cars10
Copy link
Owner

cars10 commented Mar 18, 2020

As per 6a2c713 i have removed the requirement to setup CORS when using browser extensions. I will release a new version in the next few days.

@cars10 cars10 closed this Mar 18, 2020
@andreldm
Copy link
Author

Won't this have the same CORS restrictions again? The express app would need to send a wildcard CORS header to support all imaginable docker setups (because of host/port), with the result that you are again exposing your elasticsearch cluster to every website that you open - this would be way worse then the current situation. Or am i missing something here?

No, node is not a browser that enforces CORS, here is a proof of concept: https://gist.github.com/andreldm/ad3f9f1790ff2c8d51b63fd82ca8d9c9

Thank you for the discussion so far!

No, thank you :)

As per 6a2c713 i have removed the requirement to setup CORS when using browser extensions. I will release a new version in the next few days.

I'm glad to hear this, once it gets published I'll ping my coworkers, so expect future feedback.

@cars10
Copy link
Owner

cars10 commented Mar 24, 2020

FYI: I published a new version on the weekend, but it is not yet available in the stores for edge and chrome. Seems like COVID-19 might be a slow down, also they manually check each extension when the permissions are changed, so it could really take a few more days or even weeks until they approve it.

@andreldm
Copy link
Author

For Firefox it's been updated and I'm using it, thanks again!

@cars10 cars10 mentioned this pull request Mar 28, 2020
Closed
cars10 added a commit that referenced this pull request Jul 6, 2023
@cars10
fix workflow #17
4810cb8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@andreldm @cars10