Trying to connect a external URL to internally hosted Jira throws The 'Access-Control-Allow-Origin' header contains multiple values '*,*', but only one is allowed.”
Problem
While trying to connect a external URL to a internally hosted JIRA, the browser throws the following error.
"Access to XMLHttpRequest at 'xxxx' from origin '<external site>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."
After fixing the issue as per the workaround suggested in - JRASERVER-59101Getting issue details... STATUS , the user still runs into the following error
Access to XMLHttpRequest at 'xxx' from origin '<external site>' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '<external site>,<external site>', but only one is allowed.”
Diagnosis
The external site is whitelisted as per the recommendations provided in configuring-the-whitelist and allow incoming is selected so that CORS request is allowed. Additionally the workaround to respond to the Pre-flight CORS request by browsers for external site is handled as follows in the proxy settings
# CORS allowed
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Max-Age "3000"
Header always set Access-Control-Allow-Headers "X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
# Return HTTP/1.1 200 OK for all OPTIONS CORS preflight requests
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(/rest/api/2/.*)$ $1 [R=200,L]
Cause
Whenever JIRA is accessed from a external site say http://example.com, Chrome or Firefox would include a pre-flight request using OPTIONS method to determine whether the actual request is safe to send. More information on when pre-flighted requests would be made can be understood from Preflighted Request.
In the current configuration, JIRA responds to pre-flighted requests with its own Access-Control-Allow-Origin value since we set up 'Allow incoming' for CORS request in the whitelist configuration. Even though it responds for the pre-flight request it does not respond with the correct headers for the browsers to accept. This is explained in the actual results section of Problem 2 in - JRASERVER-59101Getting issue details... STATUS . Additionally, we set a response for CORS pre-flighted request in our proxy as explained in the diagnosis above as a workaround. This cause two values to be set for the response header Access-Control-Allow-Origin, one by JIRA and another by Proxy.
Resolution
Avoid setting the whitelist for the site with 'allow incoming' for the CORS request in case the workaround to handle the response is already implemented in the proxy for Jira.