Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53462

Jenkins websites use non-trusted 'submit' event to start form submission when current browser is Firefox

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: core
    • Labels:
    • Environment:
      classic login form (before 2.128), regular "Save" form submission buttons on the classic UI
    • Similar Issues:
    • Released As:
      Jenkins 2.173 to 2.201, removed from 2.202, 2.289 released Apr 20, 2021

      Description

      HTML spec [[1]|https://w3c.github.io/uievents/#trusted-events] says "Most untrusted events will not trigger default actions, with the exception of the click event.". Now Firefox doesn't comply with the spec. When I try to fix the bug [[2]|https://bugzilla.mozilla.org/show_bug.cgi?id=1370630], a regression has happened on all Jenkins websites. Users can't login Jenkins websites with Firefox anymore. After some experiments, it seems the Jenkins websites detect the browser's user agent and use untrusted 'submit' event to start form submission when the current browser is Firefox. Changing the UA of Chrome to the same string as Firefox also block the form submission.

       

      The steps I used to reproduce this problem

      On Chrome

      1. Change UA to the same string as Firefox
      2. Navigate https://jenkins.qa.ubuntu.com/
      3. Click login
      4. Enter username/password and press 'log in' button
      5. Nothing happened

      Expectation

      Don't use untrusted events to start form submission on Jenkins websites.

       

      [1] https://w3c.github.io/uievents/#trusted-events

      [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1370630

       

        Attachments

          Issue Links

            Activity

            Hide
            markewaite Mark Waite added a comment -

            Jenkins 2.289 released Apr 20, 2021 included PR-5405

            Show
            markewaite Mark Waite added a comment - Jenkins 2.289 released Apr 20, 2021 included PR-5405
            Hide
            markewaite Mark Waite added a comment -

            Change in Jenkins 2.289 seems to have caused a regression described in the pull request comment.

            Show
            markewaite Mark Waite added a comment - Change in Jenkins 2.289 seems to have caused a regression described in the pull request comment .
            Hide
            whimboo Henrik Skupin added a comment -

            Daniel Beck, could you please give an update here? Given the last comment on this issue there is another regression. So far I haven't seen a backout, so does it mean your patch will be kept in the https://www.jenkins.io/changelog-stable/#v2.289.2 LTS release? Thanks!

            Show
            whimboo Henrik Skupin added a comment - Daniel Beck , could you please give an update here? Given the last comment on this issue there is another regression. So far I haven't seen a backout, so does it mean your patch will be kept in the https://www.jenkins.io/changelog-stable/#v2.289.2 LTS release? Thanks!
            Hide
            danielbeck Daniel Beck added a comment -

            Henrik Skupin Looks like we've reached a stable state after https://github.com/jenkinsci/jenkins/pull/5479

            Show
            danielbeck Daniel Beck added a comment - Henrik Skupin Looks like we've reached a stable state after https://github.com/jenkinsci/jenkins/pull/5479
            Hide
            whimboo Henrik Skupin added a comment -

            Thanks a lot for the confirmation!

            Show
            whimboo Henrik Skupin added a comment - Thanks a lot for the confirmation!

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              iamstone ming-chou shih
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: