Getting CORS errors when accessing Confluence resources
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
When accessing Confluence resources from another origin, the request is blocked and may result in a CORS error similar to the following:
Access to fetch at <Confluence-URL> from <Origin-URL> has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.This can happen even if the origin of the request is enabled on Confluence's Allowist.
診断
This can be tested with curl, for example, if the origin URL and Confluence are on different addresses:
curl -u admin:admin -H "Origin: http://example.com" --verbose \
http://<base-url>/rest/api/user\?username\=admin原因
Confluence does not include default configurations for enabling CORS requests, from any source:
As such, it will block all cross-origin requests automatically, by default.
ソリューション
For Confluence 7.14.0 and below versions
Given that this is not included in Confluence's default Tomcat settings, it's necessary to add a CORS filter configuration manually:
- Shut down Confluence
- Edit the
<confluence-install>/confluence/WEB-INF/web.xmlfile Add the following lines from line 30:
<filter> <filter-name>CorsFilter</filter-name> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>; <init-param> <param-name>cors.allowed.origins</param-name> <param-value>http://allowed.domain</param-value> </init-param> <init-param> <param-name>cors.allowed.methods</param-name> <param-value>GET,POST,PUT,DELETE</param-value> </init-param> <init-param> <param-name>cors.exposed.headers</param-name> <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value> </init-param> <init-param> <param-name>cors.support.credentials</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>cors.preflight.maxage</param-name> <param-value>1800</param-value> </init-param> </filter> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>Replace http://allowed.domain on the above filter with the URL that's originating these requests. If you have more than one origin that needs to access Confluence resources, you can add multiple domains to the cors.allowed.origins parameter, using a comma to separate them.
Start Confluence
For Confluence 7.15.0 and above versions
The above setting is no longer working since the <confluence-install>/confluence/WEB-INF/web.xml template has changed. We are currently tracking the interest in the below enhancement request:
- CONFSERVER-80056 - Getting issue details... STATUS