Reputation: 145
Bypassing XSRF token check
I am attempting to utilize jQuery AJAX to POST dynamic data into JIRA. The idea is to POST to the JIRA REST API via "rest/api/2/issue/".
I believe I have all of my jQuery laid out properly. The issue I'm having trouble getting past is the "XSRF token check" upon execution. Every time I attempt to run my code, it returns "XSRF token check failed" from the server.
I have read about the "X-Atlassian-Token" header. I have that as an allowed header on my jira server config. i.e...
'Header always set Access-Control-Allow-Headers "X-Atlassian-Token, Authorization, Content-Type"'
I have also set the header on my AJAX request. "X-Atlassian-Token": "no-check"
Can someone assist me in getting this to work properly? JIRA version tested with is 6.4.12.
My current AJAX code is below for review.
$.ajax({
url: "https://my-jira-host.com/rest/api/2/issue/",
type: "POST",
async: false,
headers: {
"X-Atlassian-Token": "nocheck",
"Content-Type": "application/json",
"Authorization": "Basic " + btoa("<username>:<password>")
},
crossDomain: true,
dataType: "json",
data: JSON.stringify({"fields":{"project":{"key":"CLS"},"priority":{"name":"Minor"},"customfield_17125":{"value":"<Department>"},"customfield_17127":"<HOSTNAME>","customfield_17126":{"value":"<Object>"},"issuetype":{"name":"<issue-type>"},"customfield_17128":"dsfgfdsg","summary":"Department | HOSTNAME | Object","description":"sdfgfdg"}}),
success: function(XMLHttpRequest, textStatus, errorThrown) {
console.log("POST was a success!");
console.log("HTTP Error Message: " + XMLHttpRequest.responseText);
console.log("HTTP Status: " + XMLHttpRequest.status);
},
error: function(XMLHttpRequest, textStatus, errorThrown) {
console.log("POST was a failure!");
console.log("HTTP Error Message: " + XMLHttpRequest.responseText);
console.log("HTTP Status: " + XMLHttpRequest.status);
}
});
I should also mention that this code is being sent from client website I created internally. Both client front-end and JIRA host are on the same internal network.
Upvotes: 3
Views: 4605
Answers (1)
Reputation: 85
XSRF (Cross Site Request Forgery) is a security feature used by Jira to prevent users from being tricked into submitting malicious data.
If you are using Firefox or Chrome, you may need to set the User-Agent with a dummy value like this:
headers: {
"X-Atlassian-Token": "nocheck",
"Content-Type": "application/json",
"Authorization": "Basic " + btoa("<username>:<password>"),
"User-Agent": "xx"
},
Upvotes: 2
Related Questions
- XSRF check failed with jQuery (Jira)
- Adding CSRFToken to Ajax request
- Invalid CSRF Token using Ajax
- Can't verify CSRF token authenticity on rails for cross platform request
- How to inject CSRFGuard security tokens using jQuery using $.ajax
- CSRFGuard: How to inject CSRF token into URL returned by AJAX call
- Rails Ajax Can't verify CSRF token Authenticity
- dynamic xsrf with javascript
- XSRF protection in an AJAX style app
- anti-CSRF token and Javascript