Trying to connect a external URL to internally hosted Jira throws The 'Access-Control-Allow-Origin' header contains multiple values '*,*', but only one is allowed.”
プラットフォームについて: Data Center - この記事は、Data Center プラットフォームのアトラシアン製品に適用されます。
このナレッジベース記事は製品の Data Center バージョン用に作成されています。Data Center 固有ではない機能の Data Center ナレッジベースは、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
問題
While trying to connect a external URL to a internally hosted JIRA, the browser throws the following error.
"Access to XMLHttpRequest at 'xxxx' from origin '<external site>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."After fixing the issue as per the workaround suggested in JRASERVER-59101 - Jira doesn't support preflighted requests for CORS (fixed in 8.9.0 and later) , the user still runs into the following error
Access to XMLHttpRequest at 'xxx' from origin '<external site>' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '<external site>,<external site>', but only one is allowed.”診断
The external site is whitelisted as per the recommendations provided in configuring-the-whitelist and allow incoming is selected so that CORS request is allowed. Additionally the workaround to respond to the Pre-flight CORS request by browsers for external site is handled as follows in the proxy settings
# CORS allowed
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Max-Age "3000"
Header always set Access-Control-Allow-Headers "X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
# Return HTTP/1.1 200 OK for all OPTIONS CORS preflight requests
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(/rest/api/2/.*)$ $1 [R=200,L]原因
Whenever JIRA is accessed from a external site say http://example.com, Chrome or Firefox would include a pre-flight request using OPTIONS method to determine whether the actual request is safe to send. More information on when pre-flighted requests would be made can be understood from Preflighted Request.
In the current configuration, JIRA responds to pre-flighted requests with its own Access-Control-Allow-Origin value since we set up 'Allow incoming' for CORS request in the whitelist configuration. Even though it responds for the pre-flight request it does not respond with the correct headers for the browsers to accept. This is explained in the actual results section of Problem 2 in JRASERVER-59101 - Jira doesn't support preflighted requests for CORS . Additionally, we set a response for CORS pre-flighted request in our proxy as explained in the diagnosis above as a workaround. This cause two values to be set for the response header Access-Control-Allow-Origin, one by JIRA and another by Proxy.
ソリューション
Avoid setting the whitelist for the site with 'allow incoming' for the CORS request in case the workaround to handle the response is already implemented in the proxy for Jira.