JIRA REST API cors

Question

I keep getting the following CORS error when trying to consume the JIRA ReST API:

Fetch API cannot load https://jira.our-domain-name.com/jira/rest/api/2/search?jql=project=tcc%20and%20cf[10809]~8423362. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://application-url.our-domain-name.com' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

However, this search URL works 100% when I paste it directly into the browser, or running it through Postman, or using CURL from command line.

My app is calling the API, using the javascript fetch API. I set the following headers when making the GET request:

headers: {
    "content-type": "application/json",
    "authorization": "Basic <<encrypted>>"
}

I have ensured that the requesting host has been whitelised in JIRA admin - I have tested the host using the test feature on the whitelist page.

When I change the whitelist from wildcard to Domain Name, I suddenly get this:

Fetch API cannot load https://jira.our-domain-name.com/jira/rest/api/2/search?jql=project=tcc%20and%20cf[10809]~8423362. Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.

Any ideas?

Answer 1

You have 2 options.

The easiest way is to proxy your request through your backend (if that's possible) since the CORS restrictions are enforced on JavaScript running within the browser.

The other way would be to reconfigure the Tomcat server that Jira is running on to support sending a CORS header. This can have other security implications if not done right.