Details
-
Bug
-
Resolution: Fixed
-
Low
-
6.1.3, 6.4.11, 7.1.4, 7.2.1, 7.2.3, 7.3.4, 7.12.1, 8.5.1
-
6.01
-
61
-
Severity 2 - Major
-
105
-
Description
Summary
JIRA doesn't support preflighted requests for CORS. There are a couple of problems:
- It doesn't respect content of Access-Control-Request-Method header
- It doesn't reply with Access-Control-Allow... headers
Problem1
Steps to Reproduce
- Configure CORS at JIRA for domain 'http://mysite.com'
- Fire the OPTIONS REST call with Origin and Access-Control-Request-... headers.
curl -v -uadmin:admin -X OPTIONS -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: authorization' -H 'Origin: http://mysite.com' http://127.0.0.1:8081/rest/api/latest/issue/PRG-4 -o /dev/null > OPTIONS /rest/api/latest/issue/PRG-4 HTTP/1.1 > Access-Control-Request-Method: GET > Access-Control-Request-Headers: authorization > Origin: http://mysite.com
Please note that performing certain types of cross-domain AJAX requests, modern browsers that support CORS will insert an extra "preflight" request to determine whether they have permission to perform the action. Eg. Firefox uses "preflight" request for methods other than GET, HEAD or POST.
Expected Results
Response has header with following content:
Access-Control-Allow-Origin: http://mysite.com Access-Control-Allow-Methods: OPTIONS, GET, PUT, DELETE Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: Origin, Authorization, Content-Type
Actual Results
Response has header with following content:
< HTTP/1.1 200 OK
No Access-Control-Allow... headers
Problem2
Steps to Reproduce
- Configure CORS at JIRA for domain 'http://mysite.com'
- Fire the OPTIONS REST call with Origin and Access-Control-Request-Method headers.
curl -v -X OPTIONS -u admin:1 -H 'Content-Type: application/json; charset=UTF-8' -H 'Origin: http://mysite.com' -H 'Access-Control-Request-Method: PUT' http://127.0.0.1:8080/rest/api/2/issue/DRA-2/properties/10000 -o /dev/nul > Origin: http://mysite.com > Access-Control-Request-Method: PUT
Please note that performing certain types of cross-domain AJAX requests, modern browsers that support CORS will insert an extra "preflight" request to determine whether they have permission to perform the action. Eg. Firefox uses "preflight" request for methods other than GET, HEAD or POST.
Expected Results
Response has header with following content:
Access-Control-Allow-Methods: OPTIONS, GET, PUT, DELETE Access-Control-Allow-Headers: Authorization, Content-Type
Actual Results
Response has header with following content:
< HTTP/1.1 200 OK < Server: Apache-Coyote/1.1 .... < X-ASESSIONID: qszqfh < X-AUSERNAME: admin < Access-Control-Allow-Origin: http://mysite.com < Access-Control-Allow-Credentials: true < Access-Control-Allow-Headers: Content-Type < Access-Control-Allow-Methods: OPTIONS
And the leads to error message in browser:
- Method PUT is not allowed by Access-Control-Allow-Methods in preflight response.
- OR
- Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response
Notes
Please see specification for details:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
- http://www.w3.org/TR/access-control/#preflight-request
Workaround
Setup a proxy and rewrite Access-Control-Request-Method header. See for example: Apache, as a proxy
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
-
JRASERVER-65362 Allow cross-domain requests for CORS
- Gathering Interest
- is related to
-
-
- Gathering Impact
-
-
- Gathering Interest
- mentioned in
-
Page Loading...
-
-
-
-
-
-
- was cloned as
-