REST API request fails with "XSRF check failed"

marco.link · August 6, 2018, 3:11pm

Hi Folks,

We are currently developing a browser extension to create issues from specific web content.
Sending data to _https://company-name.atlassian.net/rest/api/2/issue_ result in 403 -XSRF check failed

Some Information:

Chrome Browser
We use Basic Authentication with token.
We do see the token we use is valid (Atlassian account shows token has been used)
Request “Origin” and “Referer” have the same base url.
calling the same endpoint with same data from curl works just fine.

I found several information/Topics about that error. But since we are in a browser environment, we can’t manipulate “User-Agent” header, which some people suggest

The code for the request looks like this:

return window.fetch(url, {
    method: 'POST',
    headers: {
        'Content-Type': 'application/json; charset=UTF-8',
        'Authorization': `Basic ${Base64.encode(`${mail}:${token}`)}`,
        'X-Atlassian-Token': 'no-check'
    },
    body: JSON.stringify(data)
}).then(response => response.json()) 
  .catch(error => console.error(`Fetch Error =\n`, error));

User-Agent:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Permissions:

"permissions": [
    "pageCapture",
    "webRequest",
    "storage"
]

Happy about any help!

Marco

marco.link · August 7, 2018, 9:12am

Further Investigation:

If i use https://insomnia.rest/ to fire the call, all works fine. But if i set the User-Agent to the one my browser defined Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 i get the same error again.

ChandraKanth · July 8, 2020, 11:45am

Hey Marco, Were you ever able to resolve this issue? Thanks.

PrashantB · July 6, 2021, 2:26pm

After having a look at several places, did not find a solution. Then played around with headers and this worked for me.

I am injecting PUT messages to Jira Server… via Talend API tester (chrome)

User-Agent: dummyValue
Content-Type: application/json
Accept: application/json

When I modified these, it worked. no more XSRF check failed
I think it’s the user-agent that causes the issue.

Please accept this answer if this works for you.

LukasMeili · August 17, 2021, 10:04am

Hi, I know this is a very old issue but I just stumbled upon this problem as well and I thought I might be able to help people with the same issue. In our case, there were two possible solutions.

Change User Agents Header (Not possible as far as I know in Chrome)
Whitelist/Allowlist the origin domain in Jira. When you send a request to the Jira API your browser automatically populates the “origin” header. You need to add that value to the whitelist/allowlist in Jira. → See here Configuring the allowlist | Jira | Atlassian Documentation
Type “Domain” should work.

See the issue documented by Atlassian:

REST API calls with a browser User-Agent header may fail CSRF checks | Jira | Atlassian Documentation