Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-41269

Improve documentation on configuring CORS in Confluence





      Configuring the Allowlist mentions that enabling incoming on the allowlist configuration will enable CORS:

      Allow Incoming enables CORS requests from the specified origin

      However, we've found that this, in fact, does not add the necessary Access-Control-Allow-Origin header.

      How to check for Access-Control-Allow-Origin header

      You can check for the Access-Control-Allow-Origin header value by running the following CURL command against your Confluence instance:

      curl -L -k -H "Origin: https://www.my-origin-url.com" -u admin:admin-pword -v https://<confluence-base-url>/rest/api/user\?username\=admin -D ~/Downloads/headers.txt

      How to enable CORS for a specific URL (valid for Confluence 7.15 and below. Above 7.15 feature request: CONFSERVER-80056):

      1. Stop Confluence
      2. Open <confluence-install>/confluence/WEB-INF/web.xml for editing
        • NOTE: when adding this CORS filter to the web.xml file, ensure it is the first filter listed in web.xml
      3. Paste the following, updating the cors.allowed.headers <param-value> to a comma-separated list of URLs that need access to Confluence. For more information on enabling CORS in Atlassian applications, please refer to Apache Tomcat 9 Configuration Reference (9.0.39) - Container Provided Filters
        <!-- ==================== CORS configuration ====================== -->
          <filter-class >org.apache.catalina.filters.CorsFilter</filter-class >
            <param-value>https://example.url.com, https://identiy-provider-domain-url</param-value>
        • If using Apache as a reverse proxy, add the following to the <Location> or <VirtualHost> configured for Confluence (reference: CORS on Apache):
          Header set Access-Control-Allow-Origin "example.url.com"
        • For IIS 7, merge this into the web.config file at the root of your application/site:
          <?xml version="1.0" encoding="utf-8"?>
                    <add name="Access-Control-Allow-Origin" value="example.url.com" />
        • If using other proxies, check CORS_ENABLED for examples such as Nginx and IIS6
        • Remember to add your SAML provider to the comma-separated list of URLs in the CORS filter
      4. Save web.xml
      5. Start Confluence


        Issue Links



              Unassigned Unassigned
              aworley Ann Worley (Inactive)
              113 Vote for this issue
              91 Start watching this issue