Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-59101

Jira doesn't support preflighted requests for CORS

    XMLWordPrintable

    Details

      Description

      Summary

      JIRA doesn't support preflighted requests for CORS. There are a couple of problems:

      • It doesn't respect content of Access-Control-Request-Method header
      • It doesn't reply with Access-Control-Allow... headers

      Problem1

      Steps to Reproduce

      1. Configure CORS at JIRA for domain 'http://mysite.com'
      2. Fire the OPTIONS REST call with Origin and Access-Control-Request-... headers.
        curl -v -uadmin:admin -X OPTIONS -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: authorization' -H 'Origin: http://mysite.com'  http://127.0.0.1:8081/rest/api/latest/issue/PRG-4 -o /dev/null
        
        > OPTIONS /rest/api/latest/issue/PRG-4 HTTP/1.1
        > Access-Control-Request-Method: GET
        > Access-Control-Request-Headers: authorization
        > Origin: http://mysite.com
        

        Please note that performing certain types of cross-domain AJAX requests, modern browsers that support CORS will insert an extra "preflight" request to determine whether they have permission to perform the action. Eg. Firefox uses "preflight" request for methods other than GET, HEAD or POST.

      Expected Results

      Response has header with following content:

      Access-Control-Allow-Origin: http://mysite.com
      Access-Control-Allow-Methods: OPTIONS, GET, PUT, DELETE
      Access-Control-Allow-Credentials: true
      Access-Control-Expose-Headers: Origin, Authorization, Content-Type
      

      Actual Results

      Response has header with following content:

      < HTTP/1.1 200 OK
      

      No Access-Control-Allow... headers

      Problem2

      Steps to Reproduce

      1. Configure CORS at JIRA for domain 'http://mysite.com'
      2. Fire the OPTIONS REST call with Origin and Access-Control-Request-Method headers.
        curl -v -X OPTIONS -u admin:1 -H 'Content-Type: application/json; charset=UTF-8' -H 'Origin: http://mysite.com' -H 'Access-Control-Request-Method: PUT' http://127.0.0.1:8080/rest/api/2/issue/DRA-2/properties/10000 -o /dev/nul
        
        > Origin: http://mysite.com
        > Access-Control-Request-Method: PUT
        

        Please note that performing certain types of cross-domain AJAX requests, modern browsers that support CORS will insert an extra "preflight" request to determine whether they have permission to perform the action. Eg. Firefox uses "preflight" request for methods other than GET, HEAD or POST.

      Expected Results

      Response has header with following content:

      Access-Control-Allow-Methods: OPTIONS, GET, PUT, DELETE
      Access-Control-Allow-Headers: Authorization, Content-Type
      

      Actual Results

      Response has header with following content:

      < HTTP/1.1 200 OK
      < Server: Apache-Coyote/1.1
      ....
      < X-ASESSIONID: qszqfh
      < X-AUSERNAME: admin
      < Access-Control-Allow-Origin: http://mysite.com
      < Access-Control-Allow-Credentials: true
      < Access-Control-Allow-Headers: Content-Type
      < Access-Control-Allow-Methods: OPTIONS
      

      And the leads to error message in browser:

      • Method PUT is not allowed by Access-Control-Allow-Methods in preflight response.
        • OR
      • Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response

      Notes

      Please see specification for details:

      Workaround

      Setup a proxy and rewrite Access-Control-Request-Method header. See for example: Apache, as a proxy

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              kcichy Kamil Cichy
              Reporter:
              ayakovlev@atlassian.com Andriy Yakovlev [Atlassian]
              Votes:
              170 Vote for this issue
              Watchers:
              145 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: