Getting CORS errors when accessing Confluence resources

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

    

Summary

When accessing Confluence resources from another origin, the request is blocked and may result in a CORS error similar to the following:

Access to fetch at <Confluence-URL> from <Origin-URL> has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

This can happen even if the origin of the request is enabled on Confluence's Allowist.

Diagnosis

This can be tested with curl, for example, if the origin URL and Confluence are on different addresses:


curl -u admin:admin -H "Origin: http://example.com" --verbose \
  http://<base-url>/rest/api/user\?username\=admin

Cause

Confluence does not include default configurations for enabling CORS requests, from any source:

As such, it will block all cross-origin requests automatically, by default.

Solution

For Confluence 7.14.0 and below versions

Given that this is not included in Confluence's default Tomcat settings, it's necessary to add a CORS filter configuration manually:

  1. Shut down Confluence
  2. Edit the <confluence-install>/confluence/WEB-INF/web.xml file
  3. Add the following lines from line 30:

    <filter>
    	<filter-name>CorsFilter</filter-name>
    	<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>;
          
    	<init-param>
    		<param-name>cors.allowed.origins</param-name>
    		<param-value>http://allowed.domain</param-value>
    	</init-param>
    	<init-param>
    		<param-name>cors.allowed.methods</param-name>
    		<param-value>GET,POST,PUT,DELETE</param-value>
    	</init-param>
    	<init-param>
    		<param-name>cors.exposed.headers</param-name>
    		<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
    	</init-param>
    	<init-param>
    		<param-name>cors.support.credentials</param-name>
    		<param-value>true</param-value>
    	</init-param>
    	<init-param>
    		<param-name>cors.preflight.maxage</param-name>
    		<param-value>1800</param-value>
    	</init-param>
    </filter>
    <filter-mapping>
    	<filter-name>CorsFilter</filter-name>
    	<url-pattern>/*</url-pattern>
    </filter-mapping>

    Replace http://allowed.domain on the above filter with the URL that's originating these requests. If you have more than one origin that needs to access Confluence resources, you can add multiple domains to the cors.allowed.origins parameter, using a comma to separate them.

  4. Start Confluence

For Confluence 7.15.0 and above versions

The above setting is no longer working since the <confluence-install>/confluence/WEB-INF/web.xml template has changed. We are currently tracking the interest in the below enhancement request:


Last modified on Oct 11, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.