REST API calls with a browser User-Agent header may fail CSRF checks

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

Specifying a Browser User-Agent header in a REST API call makes it fail to be executed. Example:

curl -D- -u admin:admin -X POST -H "Content-Type: application/json" -d @"P:\UTIL\script\rest.json" http://localhost:8705/jira/rest/api/2/issue -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"

Diagnosis

From the log, the following WARN is thrown:

2016-02-03 22:25:15,125 http-nio-8705-exec-15 WARN admin 1345x6598x1 1jbuio 0:0:0:0:0:0:0:1 /rest/api/2/issue [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: http://localhost:8705/jira/rest/api/2/issue , origin: null , referrer: null , credentials in request: true , allowed via CORS: false

This is known to affect The RESTClient Firefox plugin. This is because Firefox plugins, unlike Chrome and Safari plugins, do not include an Origin header with a plugin origin.

tip/resting Created with Sketch.

This works in Postman where Access-Control-Allow-Origin is seen by the browser.

Cause

Recent changes in Atlassian REST mean that some browser requests may be blocked because the origin of the request is not trusted.

More information can be found in Cross Site Request Forgery(CSRF) protection changes in Atlassian Rest.

Resolution

  1. Since REST API doesn't require a User-Agent header, removing the header works.

  2. Alternatively, adding an Origin or Referrer header to the call that specifies the same origin or a whitelisted one also works:

    curl -D- -u admin:admin -X POST -H "Origin: https://dc.andy.com" -H "Content-Type: application/json" -d @"P:\UTIL\script\rest.json" https://dc.andy.com/jira/rest/api/2/issue -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"

DescriptionSpecifying a Browser User-Agent header in a REST API call makes it fail to be executed
ProductJira
PlatformServer
Last modified on Nov 15, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.