Github user kkhatua commented on a diff in the pull request: https://github.com/apache/drill/pull/1203#discussion_r182499705 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java --- @@ -158,7 +158,13 @@ public void start() throws Exception { final int selectors = config.getInt(ExecConstants.HTTP_JETTY_SERVER_SELECTORS); final QueuedThreadPool threadPool = new QueuedThreadPool(2, 2, 60000); embeddedJetty = new Server(threadPool); - embeddedJetty.setHandler(createServletContextHandler(authEnabled)); + ServletContextHandler webServerContext = createServletContextHandler(authEnabled); + //Allow for Other Drillbits to make REST calls + FilterHolder filterHolder = new FilterHolder(CrossOriginFilter.class); + filterHolder.setInitParameter("allowedOrigins", "*"); --- End diff -- Yes. CORS is basically one of the means to prevent DoS attacks. I've added additional filter that allows access only for `/status/metrics` path.
---