XSRF Check failed during CORS request

XMLWordPrintable

    • Type: Bug
    • Resolution: Obsolete
    • Priority: Low
    • 7.0.0
    • Affects Version/s: 6.4.12
    • Component/s: REST API
    • 6.04

      Summary

      JIRA throws a XSRF Check Failed during POST request types using CORS

      Steps to Reproduce

      1. Add domain to whitelist rule for domain to accept incoming requests

      2. Create Issue with REST API (for example by using Postman Interceptor) and set 'Origin' header to same domain as the one added to whitelist

      Expected Results

      • Issue created successfully

      Actual Results

      HTTP response:

      XSRF check failed

      The following is seen in atlassian-jira.log:

      2016-01-27 09:58:41,382 http-bio-8080-exec-17 WARN admin 598x202x1 gmldrg 0:0:0:0:0:0:0:1 /rest/api/2/issue [common.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: http://localhost:8080/6412/rest/api/2/issue , origin: http://www.com , referrer: null , credentials in request: true , allowed via CORS: false

      Notes

      • Only reproduced in JIRA 6.4.12

      Workaround

      • set Origin equal to BaseUrl

        1. postman.png
          postman.png
          141 kB
        2. whitelist.png
          whitelist.png
          143 kB

            Assignee:
            Unassigned
            Reporter:
            Pelle Kirkeby (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: