Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-41269

Improve documentation on configuring CORS in Confluence



      Configuring the Allowlist mentions that enabling incoming on the allowlist configuration will enable CORS:

      Allow Incoming enables CORS requests from the specified origin

      However, we've found that this, in fact, does not add the necessary Access-Control-Allow-Origin header.

      How to check for Access-Control-Allow-Origin header

      You can check for the Access-Control-Allow-Origin header value by running the following CURL command against your Confluence instance:

      curl -L -k -H "Origin: https://www.my-origin-url.com" -u admin:admin-pword -v https://<confluence-base-url>/rest/api/user\?username\=admin -D ~/Downloads/headers.txt

      How to enable CORS for a specific URL (valid for Confluence 7.15 and below. Above 7.15 feature request: CONFSERVER-80056):

      1. Stop Confluence
      2. Open <confluence-install>/confluence/WEB-INF/web.xml for editing
        • NOTE: when adding this CORS filter to the web.xml file, ensure it is the first filter listed in web.xml
      3. Paste the following, updating the cors.allowed.headers <param-value> to a comma-separated list of URLs that need access to Confluence. For more information on enabling CORS in Atlassian applications, please refer to Apache Tomcat 9 Configuration Reference (9.0.39) - Container Provided Filters
        <!-- ==================== CORS configuration ====================== -->
          <filter-class >org.apache.catalina.filters.CorsFilter</filter-class >
            <param-value>https://example.url.com, https://identiy-provider-domain-url</param-value>
        • If using Apache as a reverse proxy, add the following to the <Location> or <VirtualHost> configured for Confluence (reference: CORS on Apache):
          Header set Access-Control-Allow-Origin "example.url.com"
        • For IIS 7, merge this into the web.config file at the root of your application/site:
          <?xml version="1.0" encoding="utf-8"?>
                    <add name="Access-Control-Allow-Origin" value="example.url.com" />
        • If using other proxies, check CORS_ENABLED for examples such as Nginx and IIS6
        • Remember to add your SAML provider to the comma-separated list of URLs in the CORS filter
      4. Save web.xml
      5. Start Confluence

            Unassigned Unassigned
            aworley Ann Worley (Inactive)
            116 Vote for this issue
            93 Start watching this issue