Improve documentation on configuring CORS in Confluence

Summary

Configuring the Allowlist mentions that enabling incoming on the allowlist configuration will enable CORS:

Allow Incoming enables CORS requests from the specified origin

However, we've found that this, in fact, does not add the necessary Access-Control-Allow-Origin header.

How to check for Access-Control-Allow-Origin header

You can check for the Access-Control-Allow-Origin header value by running the following CURL command against your Confluence instance:

curl -L -k -H "Origin: https://www.my-origin-url.com" -u admin:admin-pword -v https://<confluence-base-url>/rest/api/user\?username\=admin -D ~/Downloads/headers.txt

How to enable CORS for a specific URL (valid for Confluence 7.15 and below. Above 7.15 feature request: CONFSERVER-80056):

1. Stop Confluence
2. Open <confluence-install>/confluence/WEB-INF/web.xml for editing
   • NOTE: when adding this CORS filter to the web.xml file, ensure it is the first filter listed in web.xml
3. Paste the following, updating the cors.allowed.headers <param-value> to a comma-separated list of URLs that need access to Confluence. For more information on enabling CORS in Atlassian applications, please refer to Apache Tomcat 9 Configuration Reference (9.0.39) - Container Provided Filters

   <!-- ==================== CORS configuration ====================== -->
   <filter>
     <filter-name>CorsFilter</filter-name>
     <filter-class >org.apache.catalina.filters.CorsFilter</filter-class >
     <init-param>
       <param-name>cors.allowed.origins</param-name>
       <param-value>https://example.url.com, https://identiy-provider-domain-url</param-value>
     </init-param>
     <init-param>
       <param-name>cors.allowed.methods</param-name>
       <param-value>GET,POST,PUT,DELETE</param-value>
     </init-param>
     <init-param>
       <param-name>cors.exposed.headers</param-name>
       <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
     </init-param>
     <init-param>
       <param-name>cors.support.credentials</param-name>
       <param-value>true</param-value>
     </init-param>
   </filter>
   <filter-mapping>
     <filter-name>CorsFilter</filter-name>
     <url-pattern>/*</url-pattern>
   </filter-mapping>
   

   • If using Apache as a reverse proxy, add the following to the <Location> or <VirtualHost> configured for Confluence (reference: CORS on Apache):

     Header set Access-Control-Allow-Origin "example.url.com"
     

   • For IIS 7, merge this into the web.config file at the root of your application/site:

     <?xml version="1.0" encoding="utf-8"?>
       <configuration>
         <system.webServer>
           <httpProtocol>
             <customHeaders>
               <add name="Access-Control-Allow-Origin" value="example.url.com" />
             </customHeaders>
           </httpProtocol>
         </system.webServer>
       </configuration>
     

   • If using other proxies, check CORS_ENABLED for examples such as Nginx and IIS6
   • Remember to add your SAML provider to the comma-separated list of URLs in the CORS filter
4. Save web.xml
5. Start Confluence