Odd CORS error querying JIRA REST API

I am trying to develop a D3 visualisation project for our JIRA boards, but I've fallen at the first hurdle. I'm having trouble authenticating and getting a list of JIRA boards.

This code is entirely client-side and is in Angular 2 RC 3. My service looks like this:

public authenticate( username:string, password:string ):void {
    let encodedAuth:string = window.btoa( `${username}:${password}` );
    this.headers = new Headers();
    this.headers.append( 'Content-Type', 'application/json' );
    this.headers.append( 'Authorization', `Basic ${encodedAuth}` );
public getAllBoards():Observable<Boards> {
    return this.http.get( `http://${this.host}/rest/agile/1.0/board`, this.headers )
        .map( response => response.json() as Boards )

and the code in my component looks like this:

constructor( protected jiraService:JIRAService ) {
    this.jiraService.authenticate('me@you.com', 'password');
        boards => this.boards = boards

Unfortunately, this generates what looks like a CORS error in my browser:

XMLHttpRequest cannot load https://myjira.atlassian.net/rest/agile/1.0/board. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 401.

...which is a little unexpected. This same URL used directly in the browser, or in Postman, works fine and returns a list of boards. Examining the request in Charles I see the error "SSL Proxying not enabled for this host: enable in Proxy Settings, SSL locations", but cannot actually find this setting. I don't care if I can't see it in Charles actually, I just want to get it working!

I have tried several of the npm JIRA packages but none of them are remarkable and seem to be designed for server-side development.

Any help greatly appreciated. I have asked this question on StackOverflow, but the responses were not helpful.

3 answers

This widget could not be displayed.

Are you developing an Atlassian Connect add-on? If yes, then your code is violating the same-origin policy because your code is actually loaded from a different domain than the host JIRA.

In order to make requests to the host JIRA without requiring CORS, you need to use the Request module as described in the documentation.

It is completely normal for the URL to return results when directly invoked in a browser, because in this case the same-origin policy is not violated - there is no code from other domain being executed in the browser - the browser is directly executing the REST request.

Ok, I'm not entirely convinced if what I'm writing qualifies as a Connect add-on: I am writing a web app that will (hopefully!) query JIRA somehow - I thought over the REST API - and display pretty graphs based on key data. This web app will sit on my company's own domain, not the JIRA domain. It is an entirely separate app and will not slot into the JIRA website.

Am I living in a fantasy land? Is this not possible? A piece of understanding that is missing in this respect I why it is possible to request over the REST API directly in a browser, by typing the API URL into the browser; but you can't do it in code. What on earth is the difference from a security point of view, or is Atlassian's motivation for disabling this not a security consideration?

I shall read the documentation link provided, thanks for that.

This is not something which Atlassian did - this is basic browser security. Among other things, the same-origin policy prevents unauthorized cookie-based authentication.

Anyway, if you have administrative privileges in JIRA, you can whitelist the domain of the application making the REST call, to enable CORS - go to System->Whitelist and add the origin URL.

Hi Petar,
I am also getting the same issue as mentioned above by Mark and even after enable CORS from adding whitelist, it doesn't work. 

Here is my code, simple ajax request:

var username = "******";
    var password = "******";

        url: "https://jiradomain.com/rest/auth/1/session",
        type: 'GET',
        contentType: 'application/json',
        crossOrigin: true,
        beforeSend: function(xhr) {
            xhr.setRequestHeader("Authorization", "Basic " + window.btoa(username + ":" + password));
        error: function(error) {
        success: function(data) {


Some of other guys also faced same issue:

Please help us we are not able to move ahead as we stuck at first step.

This widget could not be displayed.

Regarding the error: SSL Proxying not enabled for this host: enable in Proxy Settings, SSL locations

You can refer to the following post to resolve that in case you want to enable SSL proxying


Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted yesterday in New to Jira

Are you planning to trial, or are currently trialling Jira Software? - We want to talk to you!

Hello! I'm Rayen, a product manager at Atlassian. My team and I are working hard to improve the trial experience for Jira Software Cloud. We are interested in   talking to 20 people planning t...

81 views 1 0
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you