Elasticsearch 1.4.0: Marvel Sense fails with “Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource”

After upgrading an Elasticsearch cluster from v1.3.2 to v1.4.0, using Marvel Sense to run queries against the server would fail with:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.server.com:9200/?_=1417024257696.
This can be fixed by moving the resource to the same domain or enabling CORS.

This is because ES 1.4.0 now disables CORS by default in order to patch a security vulnerability. To enable CORS, simply add the following to your elasticsearch.yml file:

http:
  cors:
    enabled: true

You can lock it down further by setting specific origins (such as localhost):

http:
  cors:
    allow-origin: /https?:\/\/localhost(:[0-9]+)?/

There are plenty of other options for CORS in Elasticsearch, you can read about them at http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-http.html#_settings_2