Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18032

"Delete Project" link fails with 403 Exception: No valid crumb was included in the request

      Unable to delete any project.

        1. screenshot-1.png
          screenshot-1.png
          31 kB
        2. 18032-1.png
          18032-1.png
          199 kB
        3. 18032-2.png
          18032-2.png
          24 kB

          [JENKINS-18032] "Delete Project" link fails with 403 Exception: No valid crumb was included in the request

          John Genoese added a comment - - edited

          Attachment "18032-1.png" depicts a Jenkins project home page.

          Attachment "18032-2.png" depicts the 403 response to the "Delete Project" click.

          John Genoese added a comment - - edited Attachment "18032-1.png" depicts a Jenkins project home page. Attachment "18032-2.png" depicts the 403 response to the "Delete Project" click.

          Matthew Epp added a comment -

          Also happening on my server now that I've upgraded to 1.515. Fedora 15.

          Matthew Epp added a comment - Also happening on my server now that I've upgraded to 1.515. Fedora 15.

          Matthew Epp added a comment -

          I was able to work around the issue by disabling "Prevent Cross Site Request Forgery exploits" in the global security.

          Matthew Epp added a comment - I was able to work around the issue by disabling "Prevent Cross Site Request Forgery exploits" in the global security.

          John Genoese added a comment -

          Workaround effectiveness confirmed. Thank you.

          John Genoese added a comment - Workaround effectiveness confirmed. Thank you.

          Jesse Glick added a comment -

          Try clearing cookies from your browser. Having too many stale session cookies can cause this error.

          Jesse Glick added a comment - Try clearing cookies from your browser. Having too many stale session cookies can cause this error.

          Fixed in https://github.com/jenkinsci/jenkins/pull/798 (pending)

          Disabling "Prevent Cross Site Request Forgery exploits" is a workaround and shouldn't be done.

          Francisco Ruiz added a comment - Fixed in https://github.com/jenkinsci/jenkins/pull/798 (pending) Disabling "Prevent Cross Site Request Forgery exploits" is a workaround and shouldn't be done.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html http://jenkins-ci.org/commit/jenkins/10a072c7d496e5a11ed94ce071938a5506ec2064 Log: JENKINS-17977 JENKINS-18032 Noting. Compare: https://github.com/jenkinsci/jenkins/compare/120716a8936f...10a072c7d496

          dogfood added a comment -

          Integrated in jenkins_main_trunk #2634
          JENKINS-17977 JENKINS-18032 Noting. (Revision 10a072c7d496e5a11ed94ce071938a5506ec2064)

          Result = SUCCESS
          Jesse Glick : 10a072c7d496e5a11ed94ce071938a5506ec2064
          Files :

          • changelog.html

          dogfood added a comment - Integrated in jenkins_main_trunk #2634 JENKINS-17977 JENKINS-18032 Noting. (Revision 10a072c7d496e5a11ed94ce071938a5506ec2064) Result = SUCCESS Jesse Glick : 10a072c7d496e5a11ed94ce071938a5506ec2064 Files : changelog.html

          I don't think this is resolved... It is still here with Jenkins1.584,1.585

          Miroslav Zaťko added a comment - I don't think this is resolved... It is still here with Jenkins1.584,1.585

          Thomas Pummer added a comment - - edited

          Got the same problem in 1.581, workaround is still valid

          Thomas Pummer added a comment - - edited Got the same problem in 1.581, workaround is still valid

          Thomas Pummer added a comment -

          Got the same problem in 1.581, workaround is still valid

          Thomas Pummer added a comment - Got the same problem in 1.581, workaround is still valid

          Daniel Beck added a comment -

          thomasp mireczatko Are any of you using nginx as reverse proxy?

          Daniel Beck added a comment - thomasp mireczatko Are any of you using nginx as reverse proxy?

          I am using Apache2.2

          Miroslav Zaťko added a comment - I am using Apache2.2

          Daniel Beck added a comment -

          Do you have JavaScript enabled? Could you provide the full request (headers and form fields and everything) sent by your browser when confirming the deletion in the JavaScript popup dialog that appears after you click 'Delete Project'? Use your browser's developer tools to determine this.

          Daniel Beck added a comment - Do you have JavaScript enabled? Could you provide the full request (headers and form fields and everything) sent by your browser when confirming the deletion in the JavaScript popup dialog that appears after you click 'Delete Project'? Use your browser's developer tools to determine this.

          Miroslav Zaťko added a comment - - edited

          I hope this is what you requested...

          Remote Address:95.105.145.64:443
          Request URL:https://jenkins.mirexoft.com/job/testproject/doDelete
          Request Method:POST
          Status Code:403 Forbidden
          Request Headersview parsed
          POST /job/testproject/doDelete HTTP/1.1
          Host: jenkins.mirexoft.com
          Connection: keep-alive
          Content-Length: 0
          Pragma: no-cache
          Cache-Control: no-cache
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
          Origin: https://jenkins.mirexoft.com
          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/37.0.2062.120 Chrome/37.0.2062.120 Safari/537.36
          Content-Type: application/x-www-form-urlencoded
          Referer: https://jenkins.mirexoft.com/
          Accept-Encoding: gzip,deflate
          Accept-Language: en-US,en;q=0.8,sk;q=0.6,cs;q=0.4
          Cookie: iconSize=16x16; ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE="bXphdGtvOjE0MTUyNTk4NTQ1OTk6MTE4MGY2OTMzMWY4NmExMjlhMDdlOGY4Y2Y2N2VjYWNlNTgzMzU3YmQzMjM0NDhlZTZiOWZiZTJkN2EwMTY3OA=="; JSESSIONID=425E4C90D41505AF70EC60E0E502E5CC; screenResolution=2048x1152
          Response Headersview parsed
          HTTP/1.1 403 Forbidden
          Date: Tue, 28 Oct 2014 22:25:35 GMT
          Server: Apache-Coyote/1.1
          Content-Type: text/html;charset=utf-8
          Content-Language: en
          Vary: Accept-Encoding
          Content-Encoding: gzip
          Keep-Alive: timeout=5, max=99
          Connection: Keep-Alive
          Transfer-Encoding: chunked

          Miroslav Zaťko added a comment - - edited I hope this is what you requested... Remote Address:95.105.145.64:443 Request URL: https://jenkins.mirexoft.com/job/testproject/doDelete Request Method:POST Status Code:403 Forbidden Request Headersview parsed POST /job/testproject/doDelete HTTP/1.1 Host: jenkins.mirexoft.com Connection: keep-alive Content-Length: 0 Pragma: no-cache Cache-Control: no-cache Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp, / ;q=0.8 Origin: https://jenkins.mirexoft.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/37.0.2062.120 Chrome/37.0.2062.120 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: https://jenkins.mirexoft.com/ Accept-Encoding: gzip,deflate Accept-Language: en-US,en;q=0.8,sk;q=0.6,cs;q=0.4 Cookie: iconSize=16x16; ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE="bXphdGtvOjE0MTUyNTk4NTQ1OTk6MTE4MGY2OTMzMWY4NmExMjlhMDdlOGY4Y2Y2N2VjYWNlNTgzMzU3YmQzMjM0NDhlZTZiOWZiZTJkN2EwMTY3OA=="; JSESSIONID=425E4C90D41505AF70EC60E0E502E5CC; screenResolution=2048x1152 Response Headersview parsed HTTP/1.1 403 Forbidden Date: Tue, 28 Oct 2014 22:25:35 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Vary: Accept-Encoding Content-Encoding: gzip Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Transfer-Encoding: chunked

          Daniel Beck added a comment -

          For some reason it does not include the .crumb in the request body, judging by the Content-Length: 0. When I do this, it's Content-Length: 39, and the request body is

          .crumb: "002233334555666777888aabbcccccee"

          Are there any JavaScript errors on the page that shows the Delete Project link (that could prevent the .crumb from being added to the form)?

          Daniel Beck added a comment - For some reason it does not include the .crumb in the request body, judging by the Content-Length: 0. When I do this, it's Content-Length: 39 , and the request body is .crumb: "002233334555666777888aabbcccccee" Are there any JavaScript errors on the page that shows the Delete Project link (that could prevent the .crumb from being added to the form)?

          Daniel Beck added a comment -

          Unfortunately, the crumb is added at the same time the POST is sent, so one should not happen without the other.

          In Firefox 33, I can suspend JavaScript in the debugger while the dialog shows. When I then confirm deletion, and Step Over one instruction, I'm in the inline script block that handles the form submit triggered by the confirmation. (In the HTML, it's the next sibling element after the Delete Project link.) Could you step over until after crumb.appendToForm(form) and then check what e.g. form.innerHTML looks like? For me, it's <div><input name=".crumb" value="002233335556667777888aabbcccccee" type="hidden"></div>

          Daniel Beck added a comment - Unfortunately, the crumb is added at the same time the POST is sent, so one should not happen without the other. In Firefox 33, I can suspend JavaScript in the debugger while the dialog shows. When I then confirm deletion, and Step Over one instruction, I'm in the inline script block that handles the form submit triggered by the confirmation. (In the HTML, it's the next sibling element after the Delete Project link.) Could you step over until after crumb.appendToForm(form) and then check what e.g. form.innerHTML looks like? For me, it's <div><input name=".crumb" value="002233335556667777888aabbcccccee" type="hidden"></div>

          I'm not able to go as deep to source code however I don't see any javascript error...

          Miroslav Zaťko added a comment - I'm not able to go as deep to source code however I don't see any javascript error...

          Thomas Pummer added a comment -

          After using the workaround (Disabling "Prevent Cross Site Request Forgery exploits") it could not be reproduced at our jenkins installation, even if it was turned back on.

          Thomas Pummer added a comment - After using the workaround (Disabling "Prevent Cross Site Request Forgery exploits") it could not be reproduced at our jenkins installation, even if it was turned back on.

          Daniel Beck added a comment -

          In the security configuration where CSRF protection is selected, is the Default Crumb Issuer also selected?

          Daniel Beck added a comment - In the security configuration where CSRF protection is selected, is the Default Crumb Issuer also selected?

          Daniel Beck added a comment -

          Note that this can happen whenever you click a link or button before the page finishes loading (e.g. because an image takes long to load). There's JavaScript running in the background while the page loads and before that's done, the form will lack the crumb.

          So make sure to wait until the page finished loading before clicking around.

          Daniel Beck added a comment - Note that this can happen whenever you click a link or button before the page finishes loading (e.g. because an image takes long to load). There's JavaScript running in the background while the page loads and before that's done, the form will lack the crumb. So make sure to wait until the page finished loading before clicking around.

          Nick Tkach added a comment -

          We're getting users with the same problem sporadically. Yes, we do have the CSRF protection enabled and the "Default Crumb Issuer" also checked. It seems to happen regardless of browser (done it at least on Firefox and Chrome) and regardless of platform (done it on OS X, Linux, and Windows). We're seeing it on Jenkins LTS 1.580.1.1 (Cloudbees Enterprise 14.11).

          Nick Tkach added a comment - We're getting users with the same problem sporadically. Yes, we do have the CSRF protection enabled and the "Default Crumb Issuer" also checked. It seems to happen regardless of browser (done it at least on Firefox and Chrome) and regardless of platform (done it on OS X, Linux, and Windows). We're seeing it on Jenkins LTS 1.580.1.1 (Cloudbees Enterprise 14.11).

          Jesse Glick added a comment -

          ntkach Jenkins Enterprise customers should file a support ticket so we can work directly on diagnosis. Obviously if that leads ultimately to discovery and fix of a bug in open-source Jenkins code, then great.

          Jesse Glick added a comment - ntkach Jenkins Enterprise customers should file a support ticket so we can work directly on diagnosis. Obviously if that leads ultimately to discovery and fix of a bug in open-source Jenkins code, then great.

          Daniel Beck added a comment -

          ntkach If it happens sporadically, make sure the web page finished loading when you click the link, as only then will the crumb have been attached to it.

          Daniel Beck added a comment - ntkach If it happens sporadically , make sure the web page finished loading when you click the link, as only then will the crumb have been attached to it.

          Roman Pickl added a comment -

          I get the same error if I try to delete a job via click in the context menu in the job overview -> context menu.

          Jenkins ver. 1.580.1

          Roman Pickl added a comment - I get the same error if I try to delete a job via click in the context menu in the job overview -> context menu. Jenkins ver. 1.580.1

          Jim Rath added a comment -

          If you're using Jenkins behind a reverse proxy using nginx, see JENKINS-12875. The .crumb header gets ignored by default by nginx.

          Jim Rath added a comment - If you're using Jenkins behind a reverse proxy using nginx, see JENKINS-12875 . The .crumb header gets ignored by default by nginx.

          Daniel Beck added a comment -

          ntkach Did you find out what the cause for your issue was?

          elephantjim: Good reference, but when it's sporadic (Nick), or happens behind Apache (Miroslav), it's a different issue.

          Daniel Beck added a comment - ntkach Did you find out what the cause for your issue was? elephantjim : Good reference, but when it's sporadic (Nick), or happens behind Apache (Miroslav), it's a different issue.

          Daniel Beck added a comment -

          Anyone still experiencing this issue, but not behind nginx reverse proxy, after the web page finished loading, etc?

          Daniel Beck added a comment - Anyone still experiencing this issue, but not behind nginx reverse proxy, after the web page finished loading, etc?

          John Genoese added a comment -

          Is there a fix release that I can download and test?

          John Genoese added a comment - Is there a fix release that I can download and test?

          Daniel Beck added a comment -

          I don't think this specific issue has been addressed. I'd like to get some updated information, so if anyone still has this problem on a recent version of Jenkins (1.6xx), please let me know. https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue may be a helpful read – the more information you can provide, the better.

          Daniel Beck added a comment - I don't think this specific issue has been addressed. I'd like to get some updated information, so if anyone still has this problem on a recent version of Jenkins (1.6xx), please let me know. https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue may be a helpful read – the more information you can provide, the better.

          Wei-min Lee added a comment -

          This happens from the Dashboard view when you choose Delete Project from the project dropdown menu.

          Wei-min Lee added a comment - This happens from the Dashboard view when you choose Delete Project from the project dropdown menu.

          Roman Pickl added a comment -

          i can confirm this in version 1.596.3

          Roman Pickl added a comment - i can confirm this in version 1.596.3

          Hany Fahim added a comment - - edited

          This issue also appears to affect 1.620. Are there any workarounds for this? I can confirm that the crumb header makes it through with other requests, just not when deleting, and possibly others as well.

          Hany Fahim added a comment - - edited This issue also appears to affect 1.620. Are there any workarounds for this? I can confirm that the crumb header makes it through with other requests, just not when deleting, and possibly others as well.

          Daniel Beck added a comment -

          Appears to only affect the "Delete Project" link in the popup menu. Workaround is then to navigate to the project and click the link there.

          Anyone experiencing something different?

          Daniel Beck added a comment - Appears to only affect the "Delete Project" link in the popup menu. Workaround is then to navigate to the project and click the link there. Anyone experiencing something different?

          I have the same issue, and the workaround is the same as mentioned by danielbeck Navigate to the project >> Delete Project (on the left hand side) >> and confirm.

          Sumith Augustine added a comment - I have the same issue, and the workaround is the same as mentioned by danielbeck Navigate to the project >> Delete Project (on the left hand side) >> and confirm.

          Daniel Beck added a comment -

          Easy workaround is present (see preceding comments), so lowering priority.

          Daniel Beck added a comment - Easy workaround is present (see preceding comments), so lowering priority.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/resources/lib/layout/breadcrumbs.js
          http://jenkins-ci.org/commit/jenkins/57fced93596b1f8bd69f00f154430a11530393de
          Log:
          [FIXED JENKINS-18032] Crumbs must be appended when using post=true requiresConfirmation=true.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/resources/lib/layout/breadcrumbs.js http://jenkins-ci.org/commit/jenkins/57fced93596b1f8bd69f00f154430a11530393de Log: [FIXED JENKINS-18032] Crumbs must be appended when using post=true requiresConfirmation=true.

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/resources/lib/layout/breadcrumbs.js
          http://jenkins-ci.org/commit/jenkins/37111bf12e5038fcd240bbefb3aa9474e45585c2
          Log:
          Merge pull request #2131 from jglick/requiresConfirmation-post-context-menu-JENKINS-18032

          JENKINS-18032 Fix Delete Project from context menu when using CSRF defense

          Compare: https://github.com/jenkinsci/jenkins/compare/35ec989afffc...37111bf12e50

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/lib/layout/breadcrumbs.js http://jenkins-ci.org/commit/jenkins/37111bf12e5038fcd240bbefb3aa9474e45585c2 Log: Merge pull request #2131 from jglick/requiresConfirmation-post-context-menu- JENKINS-18032 JENKINS-18032 Fix Delete Project from context menu when using CSRF defense Compare: https://github.com/jenkinsci/jenkins/compare/35ec989afffc...37111bf12e50

          dogfood added a comment -

          Integrated in jenkins_main_trunk #4511
          [FIXED JENKINS-18032] Crumbs must be appended when using post=true (Revision 57fced93596b1f8bd69f00f154430a11530393de)

          Result = SUCCESS
          jesse glick : 57fced93596b1f8bd69f00f154430a11530393de
          Files :

          • core/src/main/resources/lib/layout/breadcrumbs.js

          dogfood added a comment - Integrated in jenkins_main_trunk #4511 [FIXED JENKINS-18032] Crumbs must be appended when using post=true (Revision 57fced93596b1f8bd69f00f154430a11530393de) Result = SUCCESS jesse glick : 57fced93596b1f8bd69f00f154430a11530393de Files : core/src/main/resources/lib/layout/breadcrumbs.js

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/resources/lib/layout/breadcrumbs.js
          http://jenkins-ci.org/commit/jenkins/328be10df62c8d349e6f1b76939aed13b5784e80
          Log:
          [FIXED JENKINS-18032] Crumbs must be appended when using post=true requiresConfirmation=true.
          (cherry picked from commit 57fced93596b1f8bd69f00f154430a11530393de)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/resources/lib/layout/breadcrumbs.js http://jenkins-ci.org/commit/jenkins/328be10df62c8d349e6f1b76939aed13b5784e80 Log: [FIXED JENKINS-18032] Crumbs must be appended when using post=true requiresConfirmation=true. (cherry picked from commit 57fced93596b1f8bd69f00f154430a11530393de)

            jglick Jesse Glick
            jgenoese John Genoese
            Votes:
            4 Vote for this issue
            Watchers:
            19 Start watching this issue

              Created:
              Updated:
              Resolved: