Hi Folks,
We are currently developing a browser extension to create issues from specific web content.
Sending data to _https://company-name.atlassian.net/rest/api/2/issue_ result in 403 -XSRF check failed
Some Information:
- Chrome Browser
- We use Basic Authentication with token.
- We do see the token we use is valid (Atlassian account shows token has been used)
- Request “Origin” and “Referer” have the same base url.
- calling the same endpoint with same data from curl works just fine.
I found several information/Topics about that error. But since we are in a browser environment, we can’t manipulate “User-Agent” header, which some people suggest
The code for the request looks like this:
return window.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json; charset=UTF-8',
'Authorization': `Basic ${Base64.encode(`${mail}:${token}`)}`,
'X-Atlassian-Token': 'no-check'
},
body: JSON.stringify(data)
}).then(response => response.json())
.catch(error => console.error(`Fetch Error =\n`, error));
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Permissions:
"permissions": [
"pageCapture",
"webRequest",
"storage"
]
Happy about any help!
Marco
Further Investigation:
If i use https://insomnia.rest/ to fire the call, all works fine. But if i set the User-Agent
to the one my browser defined Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
i get the same error again.
Hey Marco, Were you ever able to resolve this issue? Thanks.
After having a look at several places, did not find a solution. Then played around with headers and this worked for me.
I am injecting PUT messages to Jira Server… via Talend API tester (chrome)
User-Agent: dummyValue
Content-Type: application/json
Accept: application/json
When I modified these, it worked. no more XSRF check failed
I think it’s the user-agent that causes the issue.
Please accept this answer if this works for you.
1 Like
Hi, I know this is a very old issue but I just stumbled upon this problem as well and I thought I might be able to help people with the same issue. In our case, there were two possible solutions.
-
Change User Agents Header (Not possible as far as I know in Chrome)
-
Whitelist/Allowlist the origin domain in Jira. When you send a request to the Jira API your browser automatically populates the “origin” header. You need to add that value to the whitelist/allowlist in Jira. → See here Configuring the allowlist | Jira | Atlassian Documentation
Type “Domain” should work.
See the issue documented by Atlassian:
REST API calls with a browser User-Agent header may fail CSRF checks | Jira | Atlassian Documentation