XSRF checks were added to the endpoint /rest/collectors/1.0/template/custom as part of the fix for
The server receives requests from the same origin, as the form page is the same origin as the form submission, thus, the XSRF HTTP header matches, which is fine.
However for the XSRF check to succeed, the form token and cookie token sent to the server must match. The problem occurs because modern web browser (beginning Chrome 80+) do not accept the atlassian.xsrf.cookie initially sent by the server in an iframe as it is treated as cross-site and is therefore rejected. This is because the cookie does not have the Same-Site:None attribute set (see
- Create a Jira 8.20.3, a sample SCRUM project, and an issue collector (custom type)
- Insert the sample code into a html page on the same site (for testing local, JIRA_INSTALL/atlassian-jira/static-assets/test.html is fine)
- Load the page (eg http://JUPITER/static-assets/test.html), and submit an issue with the collector. Note that the POST to /rest/collectors/1.0/template/custom succeeds
- Insert the sample code into a html page on your local machine (differing origin), and load it in your browser
The issue submission succeeds
- The POST to /rest/collectors/1.0/template/custom is rejected with HTTP 404 and body "XSRF check failed"
- Error is presented to the client
When enabling Jira Admin -> System -> Logging and Profiling -> HTTP Access log (ON) -> HTTP Dump Log (ON), the response from the client can be observed in JIRA_HOME/log/atlassian-jira-http-dump.log. Observe that the client does not sent the XSRF token in the cookie, as the browser rejected storing it
The following workaround will disable XSRF checks for the issue collector, which was the behaviour prior to
JRASERVER-73068. This may be tolerable for you, but it's worthwhile confirming within your organisation
Modify the reverse proxy / load balancer / WAF to add the following header to the request as it makes it's way to the Jira node:
- Condition: Method: POST
- Condition: Request URL: /rest/collectors/1.0/template/custom/*
- Action: Add header: X-Atlassian-Token: no-check
We've added "SameSite=None" parameter to xsrftoken, which is on by default.
Please note : fix works only if connection is secure, issue collector needs to access Jira through https protocol. If it is not, collector works properly only on firefox.
Unfortunately we can't omit this restriction, because that's how cookies are handled on chrome, opera etc. and they don't allow setting SameSite=None parameter to cookies if connection is not secure.
Note that the reverse proxy needs to allow the SameSite cookie (SameSite="none") and the secure="true" attribute needs to be present in the Tomcat connector (server.xml). This is required so that the HTTP response sets the cookie parameters correctly.