Upload gets stuck in Assets

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When uploading files to Assets, like CSV, JSON, and attachments, the upload gets stuck.

Atlassian applications allow the use of reverse-proxies within our products, however Atlassian Support does not provide assistance for configuring them. Consequently, Atlassian can not guarantee providing any support for them.

If assistance with configuration is required, please raise a question on Atlassian Community.

Diagnosis

  • The browser development console might show a 404 Error.

  • The atlassian-jira.log shows the following warning message when performing the upload:

1 2022-08-29 18:09:49,853+0100 http-nio-8080-exec-251 url: /rest/insight-am/1/assets/OBJ-1001/attachments/upload; user: JIRAUSER WARN JIRAUSER 1089x604511x1 1mqcy3x 62.69.98.44,10.130.10.27,127.0.0.1 /rest/insight-am/1/assets/OBJ-1001/attachments/upload [c.a.p.r.c.security.jersey.XsrfResourceFilter] XSRF checks failed for request: https://example.domain/rest/insight-am/1/assets/OBJ-1001/attachments/upload , origin: https://another-origin.domain , referrer: https://another-origin.domain

Cause

There could be several reasons behind the root cause of this issue. However, there is a high chance that the load balancer/proxy might be causing the issue. We recommend that you verify your load balancer/proxy configurations.

The server receives requests from the same origin, as the form page is the same origin as the form submission, thus, the XSRF HTTP header matches. However for the XSRF check to succeed, the form token and cookie token sent to the server must match. The problem occurs because modern web browsers (beginning Chrome 80+) do not accept the atlassian.xsrf.cookie initially sent by the server in an iframe as it is treated as cross-site and is therefore rejected. This is because the cookie does not have the Same-Site:None attribute set (see JRASERVER-73212).

Solution

Workaround

The following workaround will disable XSRF checks for the Insight add-on file uploads. 

Modify the reverse proxy / load balancer / WAF to add the following header to the request as it makes it's way to the Jira node:

Object Import upload URL:

  • Condition: Method: POST

  • Condition: Request URL:/rest/insight/1.0/file/*

  • Action: Add header: X-Atlassian-Token: no-check

Object attachments upload URL:

  • Condition: Method: POST

  • Condition: Request URL:/rest/insight-am/1/assets/*

  • Action: Add header: X-Atlassian-Token: no-check

Updated on April 24, 2025
Platform
Data Center only
Products
Jira Software Data Center
Jira Service Management Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community