Uploaded image for project: 'Jira Software Server and Data Center'
  1. Jira Software Server and Data Center
  2. JSWSERVER-15228

JIRA Software REST API doesn't support preflighted requests for CORS

    XMLWordPrintable

    Details

      Description

      Summary

      In JIRA 7.2 we introduced SOFTWARE REST API. JIRA doesn't support preflighted requests for CORS for new calls.
      There are problems here:

      • JIRA doesn't add Access-Control-Allow_ headers to the request
      • JIRA replies with 401 Unauthorized

      Steps to Reproduce

      1. Configure CORS at JIRA for domain 'http://mysite.com'
      2. Fire the OPTIONS REST call with Origin and Access-Control-Request-Method headers.
        curl -v -X OPTIONS -H 'Access-Control-Request-Method: GET' -H 'Origin: http://mysite.com'  http://127.0.0.1:8081/rest/agile/1.0/board/1/epic
        > Access-Control-Request-Method: GET
        > Origin: http://mysite.com
        

        Please note that performing certain types of cross-domain AJAX requests, modern browsers that support CORS will insert an extra "preflight" request to determine whether they have permission to perform the action. Eg. Firefox uses "preflight" request for methods other than GET, HEAD or POST.

      Expected Results

      Response has header with following content:

      < Access-Control-Allow-Origin: http://mysite.com
      < Access-Control-Allow-Credentials: true
      < Access-Control-Max-Age: 3600
      < Access-Control-Allow-Methods: GET
      < Access-Control-Allow-Headers: X-Atlassian-Token, Content-Type
      

      Actual Results

      JIRA replies with 401 Unauthorized :

      < HTTP/1.1 401 Unauthorized
      < Server: Apache-Coyote/1.1
      

      And this leads to error message in browser:

      • Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <URL>. (Reason: CORS preflight channel did not succeed).

      Notes

      If you remove Origin header call succeed, but CORS (Access-Control-Allow_ ) headers are not present:

      curl -v -X OPTIONS -H 'Access-Control-Request-Method: GET'  http://127.0.0.1:8081/rest/agile/1.0/board/1/epic
      > Access-Control-Request-Method: GET
      
      
      < HTTP/1.1 200 OK
      < Server: Apache-Coyote/1.1
      < X-AUSERNAME: anonymous
      < Allow: OPTIONS,HEAD,GET
      
      <?xml version="1.0" encoding="UTF-8" ... 
      

      Please see specification for details:

      Workaround

      None

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ayakovlev@atlassian.com Andriy Yakovlev [Atlassian]
              Votes:
              17 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: