Trying to connect a external URL to internally hosted Jira throws The 'Access-Control-Allow-Origin' header contains multiple values '*,*', but only one is allowed.”
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
While trying to connect a external URL to a internally hosted JIRA, the browser throws the following error.
"Access to XMLHttpRequest at 'xxxx' from origin '<external site>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."After fixing the issue as per the workaround suggested in JRASERVER-59101 - Jira doesn't support preflighted requests for CORS (fixed in 8.9.0 and later) , the user still runs into the following error
Access to XMLHttpRequest at 'xxx' from origin '<external site>' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '<external site>,<external site>', but only one is allowed.”Diagnosis
The external site is whitelisted as per the recommendations provided in configuring-the-whitelist and allow incoming is selected so that CORS request is allowed. Additionally the workaround to respond to the Pre-flight CORS request by browsers for external site is handled as follows in the proxy settings
# CORS allowed
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Max-Age "3000"
Header always set Access-Control-Allow-Headers "X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
# Return HTTP/1.1 200 OK for all OPTIONS CORS preflight requests
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(/rest/api/2/.*)$ $1 [R=200,L]Cause
Whenever JIRA is accessed from a external site say http://example.com, Chrome or Firefox would include a pre-flight request using OPTIONS method to determine whether the actual request is safe to send. More information on when pre-flighted requests would be made can be understood from Preflighted Request.
In the current configuration, JIRA responds to pre-flighted requests with its own Access-Control-Allow-Origin value since we set up 'Allow incoming' for CORS request in the whitelist configuration. Even though it responds for the pre-flight request it does not respond with the correct headers for the browsers to accept. This is explained in the actual results section of Problem 2 in JRASERVER-59101 - Jira doesn't support preflighted requests for CORS . Additionally, we set a response for CORS pre-flighted request in our proxy as explained in the diagnosis above as a workaround. This cause two values to be set for the response header Access-Control-Allow-Origin, one by JIRA and another by Proxy.
Resolution
Avoid setting the whitelist for the site with 'allow incoming' for the CORS request in case the workaround to handle the response is already implemented in the proxy for Jira.