Enable CORS in Bitbucket REST API

I am developing a plugin that provides a REST API. I want to retrieve some data from the api that i provided and display it on an web application on a different URL. So now i need to enable CORS. But i am running into a lot of problems. The code of my api looks like this:

public class ProjectResource {

private ProjectMonitorService service;

ProjectResource(@ComponentImport ProjectMonitorService service) {
this.service = service;

public Response getMessage() {
return Response.ok(new ProjectResourceModel("Hell World", ""))
.header("Access-Control-Allow-Headers", "Authorization")
.header("Access-Control-Allow-Origin", "http://localhost:4200/")
.header("Access-Control-Allow-Methods", "OPTIONS, GET")
.header("Access-Control-Allow-Credentials", "*")

My client looks like this:

return this.http.get('http://localhost:7990/bitbucket/rest/project/1.0/project', { headers: new HttpHeaders().append('Authorization', 'Basic YWRtaW46YWRtaW4=') });  


OPTIONS http://localhost:7990/bitbucket/rest/project/1.0/project/number  XMLHttpRequest cannot load http://localhost:7990/bitbucket/rest/project/1.0/project/number. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access. The response had HTTP status code 401  

Info: The authenticatin token is the one of the system admin   I tried putting a filter on the server that allows almost everything. The problem that i saw is that the Option method is not allowed and it is now possible to allow it(unsure). The problem is that the browser sends a OPTION preflight request. I have no clue how to enable the CORS, so can someone help me. 

2 answers

0 votes

Have you seen the below documentation page?


Also, not sure it can helps, but you can also have a look at: 


Finally, in case of no answers in here it may be a good idea to re-ask the same question into the developers' community:


I hope this helps.



Best Regards,

I'm running into the same or similar problem.  We have configured the server to return

Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Headers: Accept, Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, Range, X-Csrftoken, X-Requested-With, Cookie
Access-Control-Allow-Origin: http://{dynamically derived sub-domain:port}

But because the preflight OPTIONS requests are protected by the same authorization rules as the rest of the verbs (GET, POST, etc.) I can only access API results of Repositories that are configured to allow Public Access.  The authorization COOKIE is not sent on the preflight so I get a 401 from the preflight response and an error that the preflight was not completed with a 200 status.  However if I mark the repository as Allow Public cloning, the OPTIONS request returns 200 and the following GET is completed returning me pull-requests, branches, etc. The COOKIE IS sent on the GET because I do have withCredentials: true

I believe that the URL permission for bitbucket should be changed to allow anon for rest/api/* for OPTIONS requests and not have the same URI permissions applied for the remain projects/{project}/repos/{repo} portion of the URI

We could hack Apache to always return 200 from options requests, but that seems wrong.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 06, 2018 in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

693 views 5 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you