REST API request fails with "XSRF check failed"

Hi Folks,

We are currently developing a browser extension to create issues from specific web content.
Sending data to https://company-name.atlassian.net/rest/api/2/issue result in 403 -XSRF check failed

Some Information:

  • Chrome Browser
  • We use Basic Authentication with token.
  • We do see the token we use is valid (id.atlassian.com/manage/api-tokens shows token has been used)
  • Request “Origin” and “Referer” have the same base url.
  • calling the same endpoint with same data from curl works just fine.

I found several information/Topics about that error. But since we are in a browser environment, we can’t manipulate “User-Agent” header, which some people suggest

The code for the request looks like this:

return window.fetch(url, {
    method: 'POST',
    headers: {
        'Content-Type': 'application/json; charset=UTF-8',
        'Authorization': `Basic ${Base64.encode(`${mail}:${token}`)}`,
        'X-Atlassian-Token': 'no-check'
    },
    body: JSON.stringify(data)
}).then(response => response.json()) 
  .catch(error => console.error(`Fetch Error =\n`, error));

User-Agent:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Permissions:

"permissions": [
    "pageCapture",
    "webRequest",
    "storage"
]

Happy about any help!

Marco

Further Investigation:

If i use https://insomnia.rest/ to fire the call, all works fine. But if i set the User-Agent to the one my browser defined Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 i get the same error again.

Hey Marco, Were you ever able to resolve this issue? Thanks.

After having a look at several places, did not find a solution. Then played around with headers and this worked for me.

I am injecting PUT messages to Jira Server… via Talend API tester (chrome)

User-Agent: dummyValue
Content-Type: application/json
Accept: application/json

When I modified these, it worked. no more XSRF check failed
I think it’s the user-agent that causes the issue.

Please accept this answer if this works for you.

1 Like