Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53462

Jenkins websites use non-trusted 'submit' event to start form submission when current browser is Firefox

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • classic login form (before 2.128), regular "Save" form submission buttons on the classic UI
    • Jenkins 2.173 to 2.201, removed from 2.202, 2.289 released Apr 20, 2021

      HTML spec [[1]|https://w3c.github.io/uievents/#trusted-events] says "Most untrusted events will not trigger default actions, with the exception of the click event.". Now Firefox doesn't comply with the spec. When I try to fix the bug [[2]|https://bugzilla.mozilla.org/show_bug.cgi?id=1370630], a regression has happened on all Jenkins websites. Users can't login Jenkins websites with Firefox anymore. After some experiments, it seems the Jenkins websites detect the browser's user agent and use untrusted 'submit' event to start form submission when the current browser is Firefox. Changing the UA of Chrome to the same string as Firefox also block the form submission.

       

      The steps I used to reproduce this problem

      On Chrome

      1. Change UA to the same string as Firefox
      2. Navigate https://jenkins.qa.ubuntu.com/
      3. Click login
      4. Enter username/password and press 'log in' button
      5. Nothing happened

      Expectation

      Don't use untrusted events to start form submission on Jenkins websites.

       

      [1] https://w3c.github.io/uievents/#trusted-events

      [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1370630

       

          [JENKINS-53462] Jenkins websites use non-trusted 'submit' event to start form submission when current browser is Firefox

          Henrik Skupin added a comment -

           Great. Let me know if you see any problems. At least being able to turn on/off the feature should hopefully help to make it work for both modes. If that's not possible we would still have to figure out a good release process for that feature once we are ready to ship it.

          Henrik Skupin added a comment -  Great. Let me know if you see any problems. At least being able to turn on/off the feature should hopefully help to make it work for both modes. If that's not possible we would still have to figure out a good release process for that feature once we are ready to ship it.

          Daniel Beck added a comment -

          Daniel Beck added a comment - Fix attempt at https://github.com/jenkinsci/jenkins/pull/5405

          Henrik Skupin added a comment -

          danielbeck I have seen that the PR on Github has been merged, which is great to see. What else is left on the Jenkins side, and what does it mean to this issue report? Can it be closed now?

          Which version including the LTS will contain this fix? Depending on the other issues that we have to fix what is the time frame of shipping this code? Thanks.

          Henrik Skupin added a comment - danielbeck I have seen that the PR on Github has been merged, which is great to see. What else is left on the Jenkins side, and what does it mean to this issue report? Can it be closed now? Which version including the LTS will contain this fix? Depending on the other issues that we have to fix what is the time frame of shipping this code? Thanks.

          Daniel Beck added a comment -

          Can it be closed now?

          We usually do that only once a weekly release is out that has the fix. Too many folks are otherwise confused ("I'm on the latest release and the bug is still there" etc).

          Which version including the LTS will contain this fix?

          TBD, whichever LTS line includes 2.289 (unless we have to back it out again ); we decide on baseline later this week. I doubt we want to expedite into LTS again after the problems last time.

          Depending on the other issues that we have to fix what is the time frame of shipping this code?

          Maybe in LTS early June, pretty sure in LTS late August.

          Daniel Beck added a comment - Can it be closed now? We usually do that only once a weekly release is out that has the fix. Too many folks are otherwise confused ("I'm on the latest release and the bug is still there" etc). Which version including the LTS will contain this fix? TBD, whichever LTS line includes 2.289 (unless we have to back it out again ); we decide on baseline later this week. I doubt we want to expedite into LTS again after the problems last time. Depending on the other issues that we have to fix what is the time frame of shipping this code? Maybe in LTS early June, pretty sure in LTS late August.

          Henrik Skupin added a comment -

          Thank you for the information! If there is a problem on our side please also let me know.

          Henrik Skupin added a comment - Thank you for the information! If there is a problem on our side please also let me know.

          Mark Waite added a comment -

          Jenkins 2.289 released Apr 20, 2021 included PR-5405

          Mark Waite added a comment - Jenkins 2.289 released Apr 20, 2021 included PR-5405

          Mark Waite added a comment -

          Change in Jenkins 2.289 seems to have caused a regression described in the pull request comment.

          Mark Waite added a comment - Change in Jenkins 2.289 seems to have caused a regression described in the pull request comment .

          Henrik Skupin added a comment -

          danielbeck, could you please give an update here? Given the last comment on this issue there is another regression. So far I haven't seen a backout, so does it mean your patch will be kept in the https://www.jenkins.io/changelog-stable/#v2.289.2 LTS release? Thanks!

          Henrik Skupin added a comment - danielbeck , could you please give an update here? Given the last comment on this issue there is another regression. So far I haven't seen a backout, so does it mean your patch will be kept in the https://www.jenkins.io/changelog-stable/#v2.289.2 LTS release? Thanks!

          Daniel Beck added a comment -

          whimboo Looks like we've reached a stable state after https://github.com/jenkinsci/jenkins/pull/5479

          Daniel Beck added a comment - whimboo Looks like we've reached a stable state after https://github.com/jenkinsci/jenkins/pull/5479

          Henrik Skupin added a comment -

          Thanks a lot for the confirmation!

          Henrik Skupin added a comment - Thanks a lot for the confirmation!

            Unassigned Unassigned
            iamstone ming-chou shih
            Votes:
            1 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: