Hi @FilipMalek,
As mentioned in: CORs error with REST api - #4 by sreuter
We actually do support CORS requests when using https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/ , as your requests will go through api.atlassian.com were token based authentication is the only thing we allow.
For further explanation: The problem why we don’t support CORS directly on your site host/domain is that we accept session based authentication on there, which would then allow any site to make random, authenticated requests to your site.
The alternative is to proxy your requests through your own backend
This is also mentioned in the FAQ section of the OAuth 2.0 (3LO) for apps documentation page:
Is CORS whitelisting supported?
CORS whitelisting is supported forapi.atlassian.com. CORS whitelisting allows OAuth 2.0 authorization code grants to work for browser-based XHR or fetch requests subject to cross-origin restrictions, such as Chrome or Electron apps.
Also, from the same documentation:
Requests that use OAuth 2.0 (3LO) are made via
api.atlassian.com(nothttps://your-domain.atlassian.net). Construct your request URL using the following structure:
- Jira apps:
https://api.atlassian.com/ex/jira/{cloudid}/{api}- Confluence apps:
https://api.atlassian.com/ex/confluence/{cloudid}/{api}
Please review above documentation and thread for details.
Also, as a possible workaround, you may want to have a look at: CORS Anywhere
I hope this helps.
Cheers,
Dario