Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53462

Jenkins websites use non-trusted 'submit' event to start form submission when current browser is Firefox

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reopened (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: core
    • Labels:
    • Environment:
      classic login form (before 2.128), regular "Save" form submission buttons on the classic UI
    • Similar Issues:
    • Released As:
      Jenkins 2.173 to 2.201, removed from 2.202

      Description

      HTML spec [[1]|https://w3c.github.io/uievents/#trusted-events] says "Most untrusted events will not trigger default actions, with the exception of the click event.". Now Firefox doesn't comply with the spec. When I try to fix the bug [[2]|https://bugzilla.mozilla.org/show_bug.cgi?id=1370630], a regression has happened on all Jenkins websites. Users can't login Jenkins websites with Firefox anymore. After some experiments, it seems the Jenkins websites detect the browser's user agent and use untrusted 'submit' event to start form submission when the current browser is Firefox. Changing the UA of Chrome to the same string as Firefox also block the form submission.

       

      The steps I used to reproduce this problem

      On Chrome

      1. Change UA to the same string as Firefox
      2. Navigate https://jenkins.qa.ubuntu.com/
      3. Click login
      4. Enter username/password and press 'log in' button
      5. Nothing happened

      Expectation

      Don't use untrusted events to start form submission on Jenkins websites.

       

      [1] https://w3c.github.io/uievents/#trusted-events

      [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1370630

       

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            Reopened because 2.202 backed out the change again due to the regression it caused (JENKINS-58296).

            Show
            danielbeck Daniel Beck added a comment - Reopened because 2.202 backed out the change again due to the regression it caused ( JENKINS-58296 ).
            Hide
            whimboo Henrik Skupin added a comment -

            Hi Daniel Beck. After a year has been passed-by I wanted to check back if there has been made some progress on this particular issue. As known the change got backed out for 2.202, but was there any attempt again to get a fix landed?

            On our side we would kinda like to remove this broken code from Firefox but are still blocked by this particular web-compat issue.

            Thanks.

            Show
            whimboo Henrik Skupin added a comment - Hi Daniel Beck . After a year has been passed-by I wanted to check back if there has been made some progress on this particular issue. As known the change got backed out for 2.202, but was there any attempt again to get a fix landed? On our side we would kinda like to remove this broken code from Firefox but are still blocked by this particular web-compat issue. Thanks.
            Hide
            danielbeck Daniel Beck added a comment -

            I'm confused, according to https://issues.jenkins-ci.org/browse/JENKINS-58296?focusedCommentId=376769&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-376769 the Firefox change was backed out again, so I thought you'd given up on this.

            Show
            danielbeck Daniel Beck added a comment - I'm confused, according to https://issues.jenkins-ci.org/browse/JENKINS-58296?focusedCommentId=376769&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-376769 the Firefox change was backed out again, so I thought you'd given up on this.
            Hide
            whimboo Henrik Skupin added a comment -

            You are right, sorry. I will try to get a clarification from our DOM folks. I will report back when there are news.

            Show
            whimboo Henrik Skupin added a comment - You are right, sorry. I will try to get a clarification from our DOM folks. I will report back when there are news.
            Hide
            whimboo Henrik Skupin added a comment -

            Please see https://bugzilla.mozilla.org/show_bug.cgi?id=1370630#c72 for a possible strategy on our side. There is no ETA yet.

            Show
            whimboo Henrik Skupin added a comment - Please see https://bugzilla.mozilla.org/show_bug.cgi?id=1370630#c72 for a possible strategy on our side. There is no ETA yet.

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              iamstone ming-chou shih
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated: