Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Getting XSRF error when making POST REST call from dialog

Tom Hudgins
Tom Hudgins
Contributor
March 5, 2021

I'm using Scriptrunner to implement a pop-up dialog in a ticket using a fragment and a Scriptrunner REST endpoint. The dialog contains an html form that then sends its data to another Scriptrunner REST endpoint for processing of the data in the form.

This all works fine if the form does a GET to send its data to the second endpoint. However, if I make the second endpoint a POST endpoint and POST the form data to it, I get an XSRF error in my browser and it doesn't work. I can send the POST request from say, Postman directly and that works fine.

I see lots of posts from people having this or a similar issue and the solution seems to hinge on setting specific headers in the POST call. It's unclear to me exactly what the solution is and how to accomplish this in my situation because I'm just doing an HTML form POST and I don't really have access to setting headers and such. 

Thanks for any insight

Answer
Watch
Like Be the first to like this
898 views

2 answers

1 accepted

0 votes
Answer accepted
Tom Hudgins
Tom Hudgins
Contributor
March 14, 2021

I wanted to follow-up on my own post because I've gotten a full/clear solution with the help of Adaptavist Support. They helped me get a security token embedded in the form data with this code (snippet)

import com.atlassian.jira.component.ComponentAccessor
import com.atlassian.jira.security.xsrf.XsrfTokenGenerator

... 
 XsrfTokenGenerator xsrfTokenGenerator = ComponentAccessor.getComponentOfType(XsrfTokenGenerator.class)
 String atl_token = xsrfTokenGenerator.generateToken(request)
... 

                input(type:"hidden", name:"atl_token", value:"${atl_token}")

With that hidden field, I got past the XSRF error when the form was POSTED back to another Scriptrunner REST endpoint. 

Then, in that endpoint, it was just a matter of reading the field values from the Map in the HttpServletRequest parameter. 

Hope this helps someone else.

Reply
0 votes
Burak Kaya
Burak Kaya
Contributor
March 6, 2021

Hi Tom,

Yes, you should add an extra header to bypass this. Doing this in html post is not possible, so you may use JavaScript or jQuery.

Please see links below which I believe to help you. 

https://stackoverflow.com/questions/9516865/how-to-set-a-header-field-on-post-a-form
https://stackoverflow.com/questions/32901015/how-to-add-header-authorization-for-post-form-using-js-ajax-jquery
https://stackoverflow.com/questions/57459865/how-to-submit-a-html-form-with-header

Hope this helps you.

Regards,
Burak

View More Comments
Tom Hudgins
Tom Hudgins
Contributor
March 8, 2021

Thanks Burak,

This is what I have come to realize also. What I'm not sure of is how to make the AJAX calls from within my pop-up dialog "code". All of the examples seem to assume you can just add your event handler in the window on ready event but it seems like the page has already loaded when the REST endpoint shows the dialog. I can't quite wrap my head around what I can do in that code. I guess I'm going to have to understand that a bit better. 

Thanks

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.