Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53462

Jenkins websites use non-trusted 'submit' event to start form submission when current browser is Firefox

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: core
    • Labels:
    • Environment:
      classic login form (before 2.128), regular "Save" form submission buttons on the classic UI
    • Similar Issues:
    • Released As:
      Jenkins 2.173 to 2.201, removed from 2.202, 2.289 released Apr 20, 2021

      Description

      HTML spec [[1]|https://w3c.github.io/uievents/#trusted-events] says "Most untrusted events will not trigger default actions, with the exception of the click event.". Now Firefox doesn't comply with the spec. When I try to fix the bug [[2]|https://bugzilla.mozilla.org/show_bug.cgi?id=1370630], a regression has happened on all Jenkins websites. Users can't login Jenkins websites with Firefox anymore. After some experiments, it seems the Jenkins websites detect the browser's user agent and use untrusted 'submit' event to start form submission when the current browser is Firefox. Changing the UA of Chrome to the same string as Firefox also block the form submission.

       

      The steps I used to reproduce this problem

      On Chrome

      1. Change UA to the same string as Firefox
      2. Navigate https://jenkins.qa.ubuntu.com/
      3. Click login
      4. Enter username/password and press 'log in' button
      5. Nothing happened

      Expectation

      Don't use untrusted events to start form submission on Jenkins websites.

       

      [1] https://w3c.github.io/uievents/#trusted-events

      [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1370630

       

        Attachments

          Issue Links

            Activity

            Hide
            whimboo Henrik Skupin added a comment -

            Daniel Beck I have seen that the PR on Github has been merged, which is great to see. What else is left on the Jenkins side, and what does it mean to this issue report? Can it be closed now?

            Which version including the LTS will contain this fix? Depending on the other issues that we have to fix what is the time frame of shipping this code? Thanks.

            Show
            whimboo Henrik Skupin added a comment - Daniel Beck I have seen that the PR on Github has been merged, which is great to see. What else is left on the Jenkins side, and what does it mean to this issue report? Can it be closed now? Which version including the LTS will contain this fix? Depending on the other issues that we have to fix what is the time frame of shipping this code? Thanks.
            Hide
            danielbeck Daniel Beck added a comment -

            Can it be closed now?

            We usually do that only once a weekly release is out that has the fix. Too many folks are otherwise confused ("I'm on the latest release and the bug is still there" etc).

            Which version including the LTS will contain this fix?

            TBD, whichever LTS line includes 2.289 (unless we have to back it out again ); we decide on baseline later this week. I doubt we want to expedite into LTS again after the problems last time.

            Depending on the other issues that we have to fix what is the time frame of shipping this code?

            Maybe in LTS early June, pretty sure in LTS late August.

            Show
            danielbeck Daniel Beck added a comment - Can it be closed now? We usually do that only once a weekly release is out that has the fix. Too many folks are otherwise confused ("I'm on the latest release and the bug is still there" etc). Which version including the LTS will contain this fix? TBD, whichever LTS line includes 2.289 (unless we have to back it out again ); we decide on baseline later this week. I doubt we want to expedite into LTS again after the problems last time. Depending on the other issues that we have to fix what is the time frame of shipping this code? Maybe in LTS early June, pretty sure in LTS late August.
            Hide
            whimboo Henrik Skupin added a comment -

            Thank you for the information! If there is a problem on our side please also let me know.

            Show
            whimboo Henrik Skupin added a comment - Thank you for the information! If there is a problem on our side please also let me know.
            Hide
            markewaite Mark Waite added a comment -

            Jenkins 2.289 released Apr 20, 2021 included PR-5405

            Show
            markewaite Mark Waite added a comment - Jenkins 2.289 released Apr 20, 2021 included PR-5405
            Hide
            markewaite Mark Waite added a comment -

            Change in Jenkins 2.289 seems to have caused a regression described in the pull request comment.

            Show
            markewaite Mark Waite added a comment - Change in Jenkins 2.289 seems to have caused a regression described in the pull request comment .

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              iamstone ming-chou shih
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: