JIRA REST API cors

6
votes

I keep getting the following CORS error when trying to consume the JIRA ReST API:

Fetch API cannot load https://jira.our-domain-name.com/jira/rest/api/2/search?jql=project=tcc%20and%20cf[10809]~8423362. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://application-url.our-domain-name.com' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

However, this search URL works 100% when I paste it directly into the browser, or running it through Postman, or using CURL from command line.

My app is calling the API, using the javascript fetch API. I set the following headers when making the GET request:

headers: {
    "content-type": "application/json",
    "authorization": "Basic <<encrypted>>"
}

I have ensured that the requesting host has been whitelised in JIRA admin - I have tested the host using the test feature on the whitelist page.

When I change the whitelist from wildcard to Domain Name, I suddenly get this:

Fetch API cannot load https://jira.our-domain-name.com/jira/rest/api/2/search?jql=project=tcc%20and%20cf[10809]~8423362. Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.

Any ideas?

1
restcorsjira
I am no JIRA expert but I ran into a similar problem. You would need to reconfigure JIRA to allow CORS access. Simply white-listing your domain is not enough. If you take a look into the network history of your browser, you see that XHR first sends a OPTIONS request to JIRA which response apparently does not yield the expected permissions. I do not know how to fix it in JIRA, though.Arrmaniac
I have gone through every single JIRA config options, and there is nothing specific to CORS. They only reference to CORS, is setting the "Allow incoming", on the whitelist, which I have set. I have tried ALL the options available in the Type of whitelist, with no luck.go4cas
I have now even tried creating an Application Link between my app URL and JIRA, but still getting the same CORS errors.go4cas
Also tried using cookie based auth, in stead of basic auth. Again, working in CuRL and Postman, not from the browser.go4cas
I feel your frustration, as it was the same with me at that point. Maybe you have management access to the webserver that handles requests to your JIRA application. And in the appropriate server config file you can set the header directive that will produce the response header "Access-Control-Allow-Origin: *"Arrmaniac

1 Answers

1
votes

You have 2 options.

The easiest way is to proxy your request through your backend (if that's possible) since the CORS restrictions are enforced on JavaScript running within the browser.

The other way would be to reconfigure the Tomcat server that Jira is running on to support sending a CORS header. This can have other security implications if not done right.