CORs error with REST api

Please forgive me if this is covered; I’m a longtime Jira admin, but have never used the APIs before.

I’m attempting to write a script that will run from my local webserver and get a list of projects on my Jira cloud site. I’m the admin of the Jira site.

I’m trying to call the REST api via a javascript ajax call and getting a CORS error. I’ve searched, but all of the solutions seem to be strictly for Jira Server, not cloud.

Can anyone help me out?

Here’s what my code looks like; apologies for the screenshot - apparently since I’m a new user I can’t post anything with URLs, and can only post a single screenshot.

Note that if I run the exact same URL with the same Basic authentication header from WebStorm’s REST Client, I get my expected data in the response.

This is an enforcement your browser is enforcing. CORS errors are only caused because your browser notes that the domain for the URL you’re requesting does NOT match the domain for the URL you are currently on.

Generally, people would use back-end programming languages to interact with other services, opposed to writing javascript that is executed in a client’s browser. So the simple correct answer is: Don’t use browser javascript, instead use Node.JS, Python, Bash, Java, something that runs on a server.

I’m curious what your response to this is, so I’ll hold off on other advice.

Thanks for the info. I’m primarily a PHP developer, and I wanted to create a web-based solution where I could have a page that would display all of my projects as checkboxes, so I could select specific projects, then enter data in a field and submit to a POST call that would update the field in all selected projects. The return from the ajax call to /rest/api/3/project/search would be processed by PHP to extract project ID, etc. and generate a series of checkboxes.

I’m not sure how to accomplish something like that without using a browser, but I’d be interested in hearing your advice.

@estrom We actually do support CORS requests when using, as your requests will go through were token based authentication is the only thing we allow.

For further explanation: The problem why we don’t support CORS directly on your site host/domain is that we accept session based authentication on there, which would then allow any site to make random, authenticated requests to your site.

The alternative is to proxy your requests through your own backend, which is @sfbehnke was referring to.

Hope this makes sense. Let me know if you have any other questions please.


Thanks. The problem with OAuth is that your PHP examples are extremely unhelpful. They don’t work out of the box, and they rely on a lot of unnecessary dependencies.

1 Like