[JRACLOUD-65573] CORS not supported in JIRA Cloud REST API but not mentioned in documentation

Type: Bug
Resolution: Fixed
Priority: Low
Component/s: Documentation, Ecosystem
Labels:
- api
- triaged

Support reference count:
1
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Cloud bug fix policy

Summary

According to https://docs.atlassian.com/jira/REST/cloud/ ...

Note, JIRA itself uses cookie-based authentication in the browser, so you can call REST from Javascript on the page and rely on the authentication that the browser has established. To reproduce the behavior of the JIRA log-in page (for example, to display authentication error messages to users) can POST to the /auth/1/session resource.

It is mentioned in documentation that Javascripts can be used to fire REST Calls to Cloud instances but in truth this is wrong because attempting to fire REST Calls from Javascripts will return errors regarding CORS.

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 401.

Will be best to keep this portion updated so that it doesn't confuse users.

is related to

JRACLOUD-30371 Allow cross-domain requests for CORS

Closed

JRACLOUD-59724 Jira Allows Cross Origin Resource Sharing Request or not??

Closed

relates to

JRACLOUD-30371 Allow cross-domain requests for CORS

Closed

Krzysztof Kercz added a comment - 11/Jun/2019 10:50 AM

The documentation has been updated. Closing the issue.

Let me also leave this here as an explanation of why CORS is not available:

We actually do support CORS requests when using https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/, as your requests will go through api.atlassian.com where token based authentication is the only thing we allow.

For further explanation: The problem why we don’t support CORS directly on your site host/domain is that we accept session based authentication on there, which would then allow any site to make random, authenticated requests to your site.

The alternative is to proxy your requests through your own backend

Source: https://community.developer.atlassian.com/t/cors-error-with-rest-api/27354/4

Krzysztof Kercz added a comment - 11/Jun/2019 10:50 AM The documentation has been updated. Closing the issue. Let me also leave this here as an explanation of why CORS is not available: We actually do support CORS requests when using https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/ , as your requests will go through api.atlassian.com where token based authentication is the only thing we allow. For further explanation: The problem why we don’t support CORS directly on your site host/domain is that we accept session based authentication on there, which would then allow any site to make random, authenticated requests to your site. The alternative is to proxy your requests through your own backend Source: https://community.developer.atlassian.com/t/cors-error-with-rest-api/27354/4

Enkhtaivan Ganbat added a comment - 08/Jun/2018 7:46 AM

Got same error while trying to access Jira Cloud REST API from javascript

Enkhtaivan Ganbat added a comment - 08/Jun/2018 7:46 AM Got same error while trying to access Jira Cloud REST API from javascript

Assignee:: Eve (Inactive)

Reporter:: Vincent Chin (Inactive)

Affected customers:: 6 This affects my team

Watchers:: 8 Start watching this issue

Created:: 11/Jan/2017 12:26 PM

Updated:: 12/Nov/2023 10:51 PM

Resolved:: 11/Jun/2019 10:50 AM

Details

Description

Summary

Attachments

Issue Links

Forms

Activity

Collapse comment: Krzysztof Kercz added a comment - 11/Jun/2019 10:50 AM

Expand comment: Krzysztof Kercz added a comment - 11/Jun/2019 10:50 AM

Collapse comment: Enkhtaivan Ganbat added a comment - 08/Jun/2018 7:46 AM

Expand comment: Enkhtaivan Ganbat added a comment - 08/Jun/2018 7:46 AM

People

Dates