Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24249

Dynamic pop-up menus don't appear when "Prevent Cross Site Request Forgery exploits" is enabled

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • _unsorted, core
    • None
    • Jenkins v1.575, jenkins stand-alone war file
      ginx as a proxy server in front of jenkins

      When enabling the Global Security option "Prevent Cross Site Request Forgery exploits", the dynamic pop-up menus stop working (they dont appear at all anymore).

      This applies to the Job menu in a view, to items in the Build Queue and the Build Executor Status, and to the "Jenkins" breadcrumb menu (top-left corner), so seems to apply to all menus.

      "Crumb Algorithm" = "Default Crumb Issuer", and "Enable proxy compatibility" doesnt seem to make any difference.

          [JENKINS-24249] Dynamic pop-up menus don't appear when "Prevent Cross Site Request Forgery exploits" is enabled

          If this is a known down-side of enabling "Prevent Cross Site Request Forgery exploits", then it should be mentioned there, see JENKINS-15252 .

          Stefan Thurnherr added a comment - If this is a known down-side of enabling "Prevent Cross Site Request Forgery exploits", then it should be mentioned there, see JENKINS-15252 .

          Daniel Beck added a comment -

          I'm calling this one a duplicate of JENKINS-12875. In the default config, Nginx cannot handle the default CSRF header name ".crumb". See that issue (and issues linked there IIRC) for solutions.

          Daniel Beck added a comment - I'm calling this one a duplicate of JENKINS-12875 . In the default config, Nginx cannot handle the default CSRF header name ".crumb". See that issue (and issues linked there IIRC) for solutions.

          @danielbeck: you're right: I'm getting "HTTP/1.1 403 No valid crumb was included in the request" when trying to open the pop-up menu. Sorry for not having thought about that before.

          Stefan Thurnherr added a comment - @danielbeck: you're right: I'm getting "HTTP/1.1 403 No valid crumb was included in the request" when trying to open the pop-up menu. Sorry for not having thought about that before.

            Unassigned Unassigned
            stefanthurnherr Stefan Thurnherr
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: