It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Odd CORS error querying JIRA REST API

I am trying to develop a D3 visualisation project for our JIRA boards, but I've fallen at the first hurdle. I'm having trouble authenticating and getting a list of JIRA boards.

This code is entirely client-side and is in Angular 2 RC 3. My service looks like this:

public authenticate( username:string, password:string ):void {
    let encodedAuth:string = window.btoa( `${username}:${password}` );
    this.headers = new Headers();
    this.headers.append( 'Content-Type', 'application/json' );
    this.headers.append( 'Authorization', `Basic ${encodedAuth}` );
}
public getAllBoards():Observable<Boards> {
    return this.http.get( `http://${this.host}/rest/agile/1.0/board`, this.headers )
        .map( response => response.json() as Boards )
}

and the code in my component looks like this:

constructor( protected jiraService:JIRAService ) {
    this.jiraService.authenticate('me@you.com', 'password');
    this.jiraService.getAllBoards().subscribe(
        boards => this.boards = boards
    );
}

Unfortunately, this generates what looks like a CORS error in my browser:

XMLHttpRequest cannot load https://myjira.atlassian.net/rest/agile/1.0/board. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 401.

...which is a little unexpected. This same URL used directly in the browser, or in Postman, works fine and returns a list of boards. Examining the request in Charles I see the error "SSL Proxying not enabled for this host: enable in Proxy Settings, SSL locations", but cannot actually find this setting. I don't care if I can't see it in Charles actually, I just want to get it working!

I have tried several of the npm JIRA packages but none of them are remarkable and seem to be designed for server-side development.

Any help greatly appreciated. I have asked this question on StackOverflow, but the responses were not helpful.

3 answers

Are you developing an Atlassian Connect add-on? If yes, then your code is violating the same-origin policy because your code is actually loaded from a different domain than the host JIRA.

In order to make requests to the host JIRA without requiring CORS, you need to use the Request module as described in the documentation.

It is completely normal for the URL to return results when directly invoked in a browser, because in this case the same-origin policy is not violated - there is no code from other domain being executed in the browser - the browser is directly executing the REST request.

Ok, I'm not entirely convinced if what I'm writing qualifies as a Connect add-on: I am writing a web app that will (hopefully!) query JIRA somehow - I thought over the REST API - and display pretty graphs based on key data. This web app will sit on my company's own domain, not the JIRA domain. It is an entirely separate app and will not slot into the JIRA website.

Am I living in a fantasy land? Is this not possible? A piece of understanding that is missing in this respect I why it is possible to request over the REST API directly in a browser, by typing the API URL into the browser; but you can't do it in code. What on earth is the difference from a security point of view, or is Atlassian's motivation for disabling this not a security consideration?

I shall read the documentation link provided, thanks for that.

This is not something which Atlassian did - this is basic browser security. Among other things, the same-origin policy prevents unauthorized cookie-based authentication.

Anyway, if you have administrative privileges in JIRA, you can whitelist the domain of the application making the REST call, to enable CORS - go to System->Whitelist and add the origin URL.

Hi Petar,
I am also getting the same issue as mentioned above by Mark and even after enable CORS from adding whitelist, it doesn't work. 

Here is my code, simple ajax request:

var username = "******";
    var password = "******";


    $.ajax({
        url: "https://jiradomain.com/rest/auth/1/session",
        type: 'GET',
        contentType: 'application/json',
        crossOrigin: true,
        beforeSend: function(xhr) {
            xhr.setRequestHeader("Authorization", "Basic " + window.btoa(username + ":" + password));
        },
        error: function(error) {
            console.log(error);
        },
        success: function(data) {
            console.log(data);
        }
    });

 

Some of other guys also faced same issue:
https://community.atlassian.com/t5/JIRA-questions/CORS-issues-with-JIRA-REST-API-even-after-adding-to-whitelist/qaq-p/209789

Please help us we are not able to move ahead as we stuck at first step.
Thanks

Regarding the error: SSL Proxying not enabled for this host: enable in Proxy Settings, SSL locations

You can refer to the following post to resolve that in case you want to enable SSL proxying

http://www.8bitavenue.com/2015/05/debugging-ios-and-android-ssl-connections-using-charles-proxy/

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Jira Core

How to manage many similar workflows?

I have multiple projects that use variations of the same base workflow. The variations depend on the requirements of the project or issue type. The variations mostly come in the form of new statuses ...

1,099 views 7 0
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you