Github user sohami commented on a diff in the pull request: https://github.com/apache/drill/pull/1203#discussion_r181252867 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java --- @@ -158,7 +158,13 @@ public void start() throws Exception { final int selectors = config.getInt(ExecConstants.HTTP_JETTY_SERVER_SELECTORS); final QueuedThreadPool threadPool = new QueuedThreadPool(2, 2, 60000); embeddedJetty = new Server(threadPool); - embeddedJetty.setHandler(createServletContextHandler(authEnabled)); + ServletContextHandler webServerContext = createServletContextHandler(authEnabled); + //Allow for Other Drillbits to make REST calls + FilterHolder filterHolder = new FilterHolder(CrossOriginFilter.class); + filterHolder.setInitParameter("allowedOrigins", "*"); --- End diff -- I am not too familiar with CORS concept but would be good to see if we can be more restrictive instead of just *. Also when authentication is enabled then with this filter, CORS request still requires authentication right ? Can you please confirm this?
---