Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-59101

Jira doesn't support preflighted requests for CORS

XMLWordPrintable

      Summary

      JIRA doesn't support preflighted requests for CORS. There are a couple of problems:

      • It doesn't respect content of Access-Control-Request-Method header
      • It doesn't reply with Access-Control-Allow... headers

      Problem1

      Steps to Reproduce

      1. Configure CORS at JIRA for domain 'http://mysite.com'
      2. Fire the OPTIONS REST call with Origin and Access-Control-Request-... headers.
        curl -v -uadmin:admin -X OPTIONS -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: authorization' -H 'Origin: http://mysite.com'  http://127.0.0.1:8081/rest/api/latest/issue/PRG-4 -o /dev/null
        
        > OPTIONS /rest/api/latest/issue/PRG-4 HTTP/1.1
        > Access-Control-Request-Method: GET
        > Access-Control-Request-Headers: authorization
        > Origin: http://mysite.com
        

        Please note that performing certain types of cross-domain AJAX requests, modern browsers that support CORS will insert an extra "preflight" request to determine whether they have permission to perform the action. Eg. Firefox uses "preflight" request for methods other than GET, HEAD or POST.

      Expected Results

      Response has header with following content:

      Access-Control-Allow-Origin: http://mysite.com
      Access-Control-Allow-Methods: OPTIONS, GET, PUT, DELETE
      Access-Control-Allow-Credentials: true
      Access-Control-Expose-Headers: Origin, Authorization, Content-Type
      

      Actual Results

      Response has header with following content:

      < HTTP/1.1 200 OK
      

      No Access-Control-Allow... headers

      Problem2

      Steps to Reproduce

      1. Configure CORS at JIRA for domain 'http://mysite.com'
      2. Fire the OPTIONS REST call with Origin and Access-Control-Request-Method headers.
        curl -v -X OPTIONS -u admin:1 -H 'Content-Type: application/json; charset=UTF-8' -H 'Origin: http://mysite.com' -H 'Access-Control-Request-Method: PUT' http://127.0.0.1:8080/rest/api/2/issue/DRA-2/properties/10000 -o /dev/nul
        
        > Origin: http://mysite.com
        > Access-Control-Request-Method: PUT
        

        Please note that performing certain types of cross-domain AJAX requests, modern browsers that support CORS will insert an extra "preflight" request to determine whether they have permission to perform the action. Eg. Firefox uses "preflight" request for methods other than GET, HEAD or POST.

      Expected Results

      Response has header with following content:

      Access-Control-Allow-Methods: OPTIONS, GET, PUT, DELETE
      Access-Control-Allow-Headers: Authorization, Content-Type
      

      Actual Results

      Response has header with following content:

      < HTTP/1.1 200 OK
      < Server: Apache-Coyote/1.1
      ....
      < X-ASESSIONID: qszqfh
      < X-AUSERNAME: admin
      < Access-Control-Allow-Origin: http://mysite.com
      < Access-Control-Allow-Credentials: true
      < Access-Control-Allow-Headers: Content-Type
      < Access-Control-Allow-Methods: OPTIONS
      

      And the leads to error message in browser:

      • Method PUT is not allowed by Access-Control-Allow-Methods in preflight response.
        • OR
      • Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response

      Notes

      Please see specification for details:

      Workaround

      Setup a proxy and rewrite Access-Control-Request-Method header. See for example: Apache, as a proxy

        1. CORS_example.png
          127 kB
          Andriy Yakovlev [Atlassian]

              kcichy Kamil Cichy (Inactive)
              ayakovlev@atlassian.com Andriy Yakovlev [Atlassian]
              Votes:
              170 Vote for this issue
              Watchers:
              149 Start watching this issue

                Created:
                Updated:
                Resolved: