diff --git a/docs/reference/modules/http.asciidoc b/docs/reference/modules/http.asciidoc index 49e4e618f6e..e0fd673def3 100644 --- a/docs/reference/modules/http.asciidoc +++ b/docs/reference/modules/http.asciidoc @@ -39,7 +39,7 @@ Defaults to `6`. |`http.cors.enabled` |Enable or disable cross-origin resource sharing, i.e. whether a browser on another origin can do requests to -Elasticsearch. Defaults to `true`. +Elasticsearch. Defaults to `false`. |`http.cors.allow-origin` |Which origins to allow. Defaults to `*`, i.e. any origin. If you prepend and append a `/` to the value, this will diff --git a/src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java b/src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java index 110450c72ef..8eb9ff8783a 100644 --- a/src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java +++ b/src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java @@ -96,7 +96,7 @@ public class NettyHttpChannel extends HttpChannel { resp = new DefaultHttpResponse(HttpVersion.HTTP_1_1, status); } if (RestUtils.isBrowser(nettyRequest.headers().get(USER_AGENT))) { - if (transport.settings().getAsBoolean(SETTING_CORS_ENABLED, true)) { + if (transport.settings().getAsBoolean(SETTING_CORS_ENABLED, false)) { String originHeader = request.header(ORIGIN); if (!Strings.isNullOrEmpty(originHeader)) { if (corsPattern == null) { diff --git a/src/test/java/org/elasticsearch/rest/CorsRegexDefaultTests.java b/src/test/java/org/elasticsearch/rest/CorsRegexDefaultTests.java index b9a3f5b9f10..7c03171d4b3 100644 --- a/src/test/java/org/elasticsearch/rest/CorsRegexDefaultTests.java +++ b/src/test/java/org/elasticsearch/rest/CorsRegexDefaultTests.java @@ -31,13 +31,12 @@ import static org.hamcrest.Matchers.*; public class CorsRegexDefaultTests extends ElasticsearchIntegrationTest { @Test - public void testCorsSettingDefaultBehaviour() throws Exception { + public void testCorsSettingDefaultBehaviourDoesNotReturnAnything() throws Exception { String corsValue = "http://localhost:9200"; HttpResponse response = httpClient().method("GET").path("/").addHeader("User-Agent", "Mozilla Bar").addHeader("Origin", corsValue).execute(); assertThat(response.getStatusCode(), is(200)); - assertThat(response.getHeaders(), hasKey("Access-Control-Allow-Origin")); - assertThat(response.getHeaders().get("Access-Control-Allow-Origin"), is("*")); + assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin"))); assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Credentials"))); } diff --git a/src/test/java/org/elasticsearch/rest/CorsRegexTests.java b/src/test/java/org/elasticsearch/rest/CorsRegexTests.java index 9c63f193f1a..18c89c1b73a 100644 --- a/src/test/java/org/elasticsearch/rest/CorsRegexTests.java +++ b/src/test/java/org/elasticsearch/rest/CorsRegexTests.java @@ -34,6 +34,7 @@ import java.net.InetSocketAddress; import static org.elasticsearch.http.netty.NettyHttpServerTransport.SETTING_CORS_ALLOW_ORIGIN; import static org.elasticsearch.http.netty.NettyHttpServerTransport.SETTING_CORS_ALLOW_CREDENTIALS; +import static org.elasticsearch.http.netty.NettyHttpServerTransport.SETTING_CORS_ENABLED; import static org.elasticsearch.test.ElasticsearchIntegrationTest.ClusterScope; import static org.elasticsearch.test.ElasticsearchIntegrationTest.Scope; import static org.hamcrest.Matchers.*; @@ -52,7 +53,8 @@ public class CorsRegexTests extends ElasticsearchIntegrationTest { return ImmutableSettings.settingsBuilder() .put(super.nodeSettings(nodeOrdinal)) .put(SETTING_CORS_ALLOW_ORIGIN, "/https?:\\/\\/localhost(:[0-9]+)?/") - .put(SETTING_CORS_ALLOW_CREDENTIALS, "true") + .put(SETTING_CORS_ALLOW_CREDENTIALS, true) + .put(SETTING_CORS_ENABLED, true) .build(); }