Major When enabling the Global Security option "Prevent Cross Site Request Forgery exploits", the dynamic pop-up menus stop working (they dont appear at all anymore).
This applies to the Job menu in a view, to items in the Build Queue and the Build Executor Status, and to the "Jenkins" breadcrumb menu (top-left corner), so seems to apply to all menus.
"Crumb Algorithm" = "Default Crumb Issuer", and "Enable proxy compatibility" doesnt seem to make any difference.
- duplicates
-
JENKINS-12875 "No valid crumb was included in the request" errors all around
-
- Resolved
-
[JENKINS-24249] Dynamic pop-up menus don't appear when "Prevent Cross Site Request Forgery exploits" is enabled
| Component/s | New: gui [ 15492 ] |
| Environment |
Original:
Jenkins v1.575, jenkins stand-alone war file * nginx as a proxy server in front of jenkins. |
New:
Jenkins v1.575, jenkins stand-alone war file ginx as a proxy server in front of jenkins |
I'm calling this one a duplicate of JENKINS-12875. In the default config, Nginx cannot handle the default CSRF header name ".crumb". See that issue (and issues linked there IIRC) for solutions.
| Resolution | New: Duplicate [ 3 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
| Link |
New:
This issue duplicates |
@danielbeck: you're right: I'm getting "HTTP/1.1 403 No valid crumb was included in the request" when trying to open the pop-up menu. Sorry for not having thought about that before.
Jenkins IRC Bot
made changes -
| Component/s | New: core [ 15593 ] | |
| Component/s | Original: gui [ 15492 ] |
| Workflow | Original: JNJira [ 157129 ] | New: JNJira + In-Review [ 195618 ] |
If this is a known down-side of enabling "Prevent Cross Site Request Forgery exploits", then it should be mentioned there, see
JENKINS-15252.