Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-41269

Improve documentation on configuring CORS in Confluence

XMLWordPrintable

      Summary

      Configuring the Allowlist mentions that enabling incoming on the allowlist configuration will enable CORS:

      Allow Incoming enables CORS requests from the specified origin

      However, we've found that this, in fact, does not add the necessary Access-Control-Allow-Origin header.

      How to check for Access-Control-Allow-Origin header

      You can check for the Access-Control-Allow-Origin header value by running the following CURL command against your Confluence instance:

      curl -L -k -H "Origin: https://www.my-origin-url.com" -u admin:admin-pword -v https://<confluence-base-url>/rest/api/user\?username\=admin -D ~/Downloads/headers.txt

      How to enable CORS for a specific URL (valid for Confluence 7.15 and below. Above 7.15 feature request: CONFSERVER-80056):

      1. Stop Confluence
      2. Open <confluence-install>/confluence/WEB-INF/web.xml for editing
        • NOTE: when adding this CORS filter to the web.xml file, ensure it is the first filter listed in web.xml
      3. Paste the following, updating the cors.allowed.headers <param-value> to a comma-separated list of URLs that need access to Confluence. For more information on enabling CORS in Atlassian applications, please refer to Apache Tomcat 9 Configuration Reference (9.0.39) - Container Provided Filters 
        <!-- ==================== CORS configuration ====================== -->
<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class >org.apache.catalina.filters.CorsFilter</filter-class >
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>https://example.url.com, https://identiy-provider-domain-url</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,PUT,DELETE</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
        • If using Apache as a reverse proxy, add the following to the <Location> or <VirtualHost> configured for Confluence (reference: CORS on Apache): 
          Header set Access-Control-Allow-Origin "example.url.com"
        • For IIS 7, merge this into the web.config file at the root of your application/site: 
          <?xml version="1.0" encoding="utf-8"?>
  <configuration>
    <system.webServer>
      <httpProtocol>
        <customHeaders>
          <add name="Access-Control-Allow-Origin" value="example.url.com" />
        </customHeaders>
      </httpProtocol>
    </system.webServer>
  </configuration>
        • If using other proxies, check CORS_ENABLED for examples such as Nginx and IIS6
        • Remember to add your SAML provider to the comma-separated list of URLs in the CORS filter
      4. Save web.xml
      5. Start Confluence

              971c305d4b2e Garvit Sharma
              aworley Ann Worley (Inactive)
              Votes:
              117 Vote for this issue
              Watchers:
              94 Start watching this issue

                Created:
                Updated: