Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal


  • Give kudos
  • Received
  • Given


  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage


I´m calling JIRA REST API from JavaScript in a Confluence User Macro and I´m facing CORS issues because JIRA and Confluence are on two different domains and preflight request . I have tried several CORS solutions as described below, without any success. So Im begging for some input from others that probably have solved this issue.

JavaScript snippet that is failing:
            type: "GET",
            url: "",
            dataType: "json",
            contentType: "application/json",
            async: false
Error message (from Firefox):
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at This can be fixed by moving the resource to the same domain or enabling CORS.
JIRA Configuration
  • JIRA Version: 6.4.12
  • Url:
  • Running Apache in front (proxy): Yes
    • Response Headers Configuration:
      • Access-Control-Allow-Headers:origin, content-type, accept
      • Access-Control-Allow-Methods:POST, GET, OPTIONS
      • Access-Control-Allow-Origin:*
  • Confluence added to the whitelist: Yes
Confluence Configuration
Tested with browsers:
  • Chrome (latest)
  • Safari (latest)
  • Firefox (latest)

Testing preflight request (OPTIONS) with CURL:
ismar.slomic$ curl -X OPTIONS " in issueLink(SR-55)" -v
*   Trying
* Connected to ( port 80 (#0)
> OPTIONS /rest/api/latest/search/?jql=issue in issueLink(SR-55) HTTP/1.1
> Host:
> User-Agent: curl/7.43.0
> Accept: */*
* Empty reply from server
* Connection #0 to host left intact
curl: (52) Empty reply from server

This seems to be positive response.

Testing preflight request (OPTIONS) with Crome extention Postman:
OPTIONS in issueLink(SR-55)

Response error: Could not get any response. This seems to be like an error connecting to in issueLink(SR-55)

3 answers

I had the exact same problem with my Angular application connection to JIRA REST Api.

GET request wasnt the problem - Access Control Header were correct there.

The problem is that response for OPTIONS (preflight) request doesnt contain Access-Control-Accept-Origin header.

I guess because JIRA application doesnt run on OPTIONS request and cant return the origins from whitelist at this point.

I worked around this issue by configuring the following on the Apache VirtualHost which has ProxyPass to Tomcat:

Header add Access-Control-Allow-Origin: "http://localhost:4200" env=IS_OPTIONS_REQUEST
Header add Access-Control-Allow-Methods: "POST, GET, OPTIONS" env=IS_OPTIONS_REQUEST
Header add Access-Control-Allow-Headers: "authorization,content-type" env=IS_OPTIONS_REQUEST

This way i define the nessesary CORS headers on OPTIONS request. Please keep the condition and done make your server respond with this headers on GET, because JIRA will add its own Access-Control-Allow-Origin Header on GET and thus it would be doubled.

Then your browser would complain about "Only one Access-Control-Allow-Origin header is allowed on Response headers.

This entirely solves my problem. Thinking about making the value a wildcard now to dont need to maintain the value. GET will anyway contain the values from whitelist.

Cheers Ben

If i run a normal plugin with a REST api where do I have to write this? Which directory and which file.

Info: I did nothing special to the server, normal localhost running on tomcat.

You can do it through applinks path. Please see Philip's answer:

This link is broken :(

I tried get rest data from JIRA in JS.

baseUrl = "https://url";
var response = httpGet("/rest/..., baseUrl);

function httpGet(theUrl, baseUrl)
    var xmlHttp = new XMLHttpRequest(); "GET", theUrl, false ); // false for synchronous request
    xmlHttp.setRequestHeader('Access-Control-Allow-Origin', baseUrl);
    xmlHttp.send( null );
    return xmlHttp.responseText;

REMOVE base url from link make browser to substitute it himself and not touch Access-Control exception


Suggest an answer

Log in or Sign up to answer

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you