Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53462

Jenkins websites use non-trusted 'submit' event to start form submission when current browser is Firefox

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • classic login form (before 2.128), regular "Save" form submission buttons on the classic UI
    • Jenkins 2.173 to 2.201, removed from 2.202, 2.289 released Apr 20, 2021

      HTML spec [[1]|https://w3c.github.io/uievents/#trusted-events] says "Most untrusted events will not trigger default actions, with the exception of the click event.". Now Firefox doesn't comply with the spec. When I try to fix the bug [[2]|https://bugzilla.mozilla.org/show_bug.cgi?id=1370630], a regression has happened on all Jenkins websites. Users can't login Jenkins websites with Firefox anymore. After some experiments, it seems the Jenkins websites detect the browser's user agent and use untrusted 'submit' event to start form submission when the current browser is Firefox. Changing the UA of Chrome to the same string as Firefox also block the form submission.

       

      The steps I used to reproduce this problem

      On Chrome

      1. Change UA to the same string as Firefox
      2. Navigate https://jenkins.qa.ubuntu.com/
      3. Click login
      4. Enter username/password and press 'log in' button
      5. Nothing happened

      Expectation

      Don't use untrusted events to start form submission on Jenkins websites.

       

      [1] https://w3c.github.io/uievents/#trusted-events

      [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1370630

       

          [JENKINS-53462] Jenkins websites use non-trusted 'submit' event to start form submission when current browser is Firefox

          ming-chou shih created issue -

          R. Tyler Croy added a comment -

          The WEBSITE project is for jenkins.io and those sorts of issues.

           

          That said, jenkins.qa.ubuntu.com is running a version of Jenkins more than two years old at this point.

          R. Tyler Croy added a comment - The WEBSITE project is for jenkins.io and those sorts of issues.   That said, jenkins.qa.ubuntu.com is running a version of Jenkins more than two years old at this point.
          R. Tyler Croy made changes -
          Resolution New: Won't Fix [ 2 ]
          Status Original: To Do [ 10003 ] New: Done [ 10004 ]

          My apologies if I ask some stupid questions. I'm wondering if the new version of Jenkins still uses untrusted 'submit' event? I tried to find out the steps to test it by myself but failed due to few understandings about it. I'm thinking about the possible solution to stop using untrusted submit event in Firefox without breaking too many existed websites. Any suggestions are very welcome. Thanks.

          ming-chou shih added a comment - My apologies if I ask some stupid questions. I'm wondering if the new version of Jenkins still uses untrusted 'submit' event? I tried to find out the steps to test it by myself but failed due to few understandings about it. I'm thinking about the possible solution to stop using untrusted submit event in Firefox without breaking too many existed websites. Any suggestions are very welcome. Thanks.

          Oleg Nenashev added a comment -

          FYI danielbeck, seems to be a security-related matter

          Oleg Nenashev added a comment - FYI danielbeck , seems to be a security-related matter

          Edgar Chen added a comment - - edited

          Hi, I could not reproduce this problem in the weekly version of Jenkins, but I still could reproduce it on LTS version. Should we reopen this issue for LTS version? Thank you.

          Edgar Chen added a comment - - edited Hi, I could not reproduce this problem in the weekly version of Jenkins, but I still could reproduce it on LTS version. Should we reopen this issue for LTS version? Thank you.
          Edgar Chen made changes -
          Resolution Original: Won't Fix [ 2 ]
          Status Original: Done [ 10004 ] New: To Do [ 10003 ]

          Henrik Skupin added a comment - - edited

          There was a refactoring of the login page which may have changed this in version 2.128 from June 18th this year?

           

          Jira issue: https://issues.jenkins-ci.org/browse/JENKINS-50447

          Github PR: https://github.com/jenkinsci/jenkins/pull/3380

           

          Henrik Skupin added a comment - - edited There was a refactoring of the login page which may have changed this in version 2.128 from June 18th this year?   Jira issue: https://issues.jenkins-ci.org/browse/JENKINS-50447 Github PR: https://github.com/jenkinsci/jenkins/pull/3380  

          Henrik Skupin added a comment -

          oleg_nenashev, danielbeck, if the fix cannot be integrated in the current LTS release, is there already an ETA when the next major LTS release will happen? Thanks.

          Henrik Skupin added a comment - oleg_nenashev , danielbeck , if the fix cannot be integrated in the current LTS release, is there already an ETA when the next major LTS release will happen? Thanks.

          Daniel Beck added a comment -

          I cannot, and could never, despite Firefox being my default browser, reproduce the issue on any Jenkins instance, and it is unclear that the issue as reported actually exists in current releases of Jenkins. More information is needed before we even consider this to be an open bug.

          Daniel Beck added a comment - I cannot, and could never, despite Firefox being my default browser, reproduce the issue on any Jenkins instance, and it is unclear that the issue as reported actually exists in current releases of Jenkins. More information is needed before we even consider this to be an open bug.

            Unassigned Unassigned
            iamstone ming-chou shih
            Votes:
            1 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: