Trying to connect a external URL to internally hosted Jira throws The 'Access-Control-Allow-Origin' header contains multiple values '*,*', but only one is allowed.”

Still need help?

The Atlassian Community is here for you.

Ask the community

Problem

While trying to connect a external URL to a internally hosted JIRA, the browser throws the following error.

Access Control allow origin
"Access to XMLHttpRequest at 'xxxx' from origin '<external site>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

After fixing the issue as per the workaround suggested in  JRASERVER-59101 - Getting issue details... STATUS , the user still runs into the following error

Multiple Origins
Access to XMLHttpRequest at 'xxx' from origin '<external site>' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '<external site>,<external site>', but only one is allowed.”

Diagnosis

The external site is whitelisted as per the recommendations provided in configuring-the-whitelist and allow incoming is selected so that CORS request is allowed. Additionally the workaround to respond to the Pre-flight CORS request by browsers for external site is handled as follows in the proxy settings

CORS policy
   # CORS allowed
    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Max-Age "3000"
    Header always set Access-Control-Allow-Headers "X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding"
    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"

    # Return HTTP/1.1 200 OK for all OPTIONS CORS preflight requests
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(/rest/api/2/.*)$ $1 [R=200,L]

Cause

Whenever JIRA is accessed from a external site say http://example.com, Chrome or Firefox would include a pre-flight request using OPTIONS method to determine whether the actual request is safe to send. More information on when pre-flighted requests would be made can be understood from Preflighted Request.

In the current configuration, JIRA responds to pre-flighted requests with its own Access-Control-Allow-Origin value since we set up 'Allow incoming' for CORS request in the whitelist configuration. Even though it responds for the pre-flight request it does not respond with the correct headers for the browsers to accept. This is explained in the actual results section of Problem 2 in JRASERVER-59101 - Getting issue details... STATUS . Additionally, we set a response for CORS pre-flighted request in our proxy as explained in the diagnosis above as a workaround. This cause two values to be set for the response header Access-Control-Allow-Origin, one by JIRA and another by Proxy.

Resolution

Avoid setting the whitelist for the site with 'allow incoming' for the CORS request in case the workaround to handle the response is already implemented in the proxy for Jira.

DescriptionCORS requests
ProductJira



Last modified on Feb 13, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.