Trying to connect a external URL to internally hosted Jira throws The 'Access-Control-Allow-Origin' header contains multiple values '*,*', but only one is allowed.”


アトラシアン コミュニティをご利用ください。



While trying to connect a external URL to a internally hosted JIRA, the browser throws the following error.

Access Control allow origin
"Access to XMLHttpRequest at 'xxxx' from origin '<external site>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

After fixing the issue as per the workaround suggested in  JRASERVER-59101 - Getting issue details... STATUS , the user still runs into the following error

Multiple Origins
Access to XMLHttpRequest at 'xxx' from origin '<external site>' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '<external site>,<external site>', but only one is allowed.”


The external site is whitelisted as per the recommendations provided in configuring-the-whitelist and allow incoming is selected so that CORS request is allowed. Additionally the workaround to respond to the Pre-flight CORS request by browsers for external site is handled as follows in the proxy settings

CORS policy
   # CORS allowed
    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Max-Age "3000"
    Header always set Access-Control-Allow-Headers "X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding"
    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"

    # Return HTTP/1.1 200 OK for all OPTIONS CORS preflight requests
    RewriteEngine On
    RewriteRule ^(/rest/api/2/.*)$ $1 [R=200,L]


Whenever JIRA is accessed from a external site say, Chrome or Firefox would include a pre-flight request using OPTIONS method to determine whether the actual request is safe to send. More information on when pre-flighted requests would be made can be understood from Preflighted Request.

In the current configuration, JIRA responds to pre-flighted requests with its own Access-Control-Allow-Origin value since we set up 'Allow incoming' for CORS request in the whitelist configuration. Even though it responds for the pre-flight request it does not respond with the correct headers for the browsers to accept. This is explained in the actual results section of Problem 2 in JRASERVER-59101 - Getting issue details... STATUS . Additionally, we set a response for CORS pre-flighted request in our proxy as explained in the diagnosis above as a workaround. This cause two values to be set for the response header Access-Control-Allow-Origin, one by JIRA and another by Proxy.


Avoid setting the whitelist for the site with 'allow incoming' for the CORS request in case the workaround to handle the response is already implemented in the proxy for Jira.

説明CORS requests

最終更新日: 2019 年 2 月 13 日


Powered by Confluence and Scroll Viewport.