Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63575

JavaScriptMethod & 403 - No valid crumb was included in the request

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Blocker
    • Resolution: Unresolved
    • core
    • Jenkins: 2.254
      Plugins:
      <groupId>io.jenkins.plugins</groupId>
      <artifactId>jquery3-api</artifactId>
      <version>3.5.1-1</version>

    Description

      The following code results in a 403 - No valid crumb was included in the request when the page is loaded.

      public class MyLink implements RootAction {
          @JavaScriptMethod
          public void setUserId(final String value) {
              userId = value;
      }
      
      <st:bind var="instance" value="${it}"/>
      
      instance.setUserId($('#userId')
      

      org/kohsuke/stapler/bind.js has the following:

      if(window.jQuery === window.$) { //Is jQuery the active framework?
          $.ajax({
              type: "POST",
              url: url+methodName,
              data: stringify(a),
              contentType: 'application/x-stapler-method-invocation;charset=UTF-8',
              headers: {'Crumb':crumb},
              dataType: "json",
              success: function(data, textStatus, jqXHR) {
                  if (callback!=null) {
                      var t = {};
                      t.responseObject = function() {
                          return data;
                      };
                      callback(t);
                  }
              }
          });
          } else { //Assume prototype should work
          new Ajax.Request(url+methodName, {
              method: 'post',
              requestHeaders: {'Content-type':'application/x-stapler-method-invocation;charset=UTF-8','Crumb':crumb},
              postBody: stringify(a),
              onSuccess: function(t) {
                  if (callback!=null) {
                      t.responseObject = function() {
                          return eval('('+this.responseText+')');
                      };
                      callback(t);
                  }
              }
          });
      }
      

      And prototype.js has patch forAjax.Request to add `Jenkins-Crumb` to the request

      // KK patch -- handle crumb for POST automatically by adding a header
          if(this.options.method=="post") {
              if(this.options.requestHeaders==undefined)
                  this.options.requestHeaders = {};
              crumb.wrap(this.options.requestHeaders);
          }
      // KK patch until here
      

      Nothing for patching JQuery as far as I can tell.

      Seems a bit disjointed and would be better solved binding to the value returned from `SystemProperties.getString("hudson.security.csrf.requestfield", CrumbIssuer.DEFAULT_CRUMB_NAME)`

      Attachments

        Activity

          drulli Ulli Hafner added a comment -

          You need to move the bind tag inside of the layout tag. Typically I place it at the bottom before the JS code:
          https://github.com/jenkinsci/warnings-ng-plugin/blob/master/plugin/src/main/resources/io/jenkins/plugins/analysis/core/model/IssuesDetail/index.jelly

          drulli Ulli Hafner added a comment - You need to move the bind tag inside of the layout tag. Typically I place it at the bottom before the JS code: https://github.com/jenkinsci/warnings-ng-plugin/blob/master/plugin/src/main/resources/io/jenkins/plugins/analysis/core/model/IssuesDetail/index.jelly

          That was it as it looks like it was bound differently this time. I'll have to track it back to see where the difference lies.

          Was this referenced anywhere and I just missed it?

          Thanks

          prg0611 Shaun Thompson added a comment - That was it as it looks like it was bound differently this time. I'll have to track it back to see where the difference lies. Was this referenced anywhere and I just missed it? Thanks
          drulli Ulli Hafner added a comment -

          No, this is not referenced anywhere. I never noticed that it is even possible to use the jQuery path in Stapler bind. So this never worked before with Stapler in Jenkins. I'm not sure what would be a good place to document that behavior.

          drulli Ulli Hafner added a comment - No, this is not referenced anywhere. I never noticed that it is even possible to use the jQuery path in Stapler bind. So this never worked before with Stapler in Jenkins. I'm not sure what would be a good place to document that behavior.

          Ok good to know it wasn't just a matter of reading the doc. 1/2 the time I spend in creating a custom Jenkins plugin with any type of advanced behavior I feel like I'm treading into the unknown.

          prg0611 Shaun Thompson added a comment - Ok good to know it wasn't just a matter of reading the doc. 1/2 the time I spend in creating a custom Jenkins plugin with any type of advanced behavior I feel like I'm treading into the unknown.
          wfollonier Wadeck Follonier added a comment - Potential culprit: https://github.com/jenkinsci/jenkins/pull/4741/

          People

            Unassigned Unassigned
            prg0611 Shaun Thompson
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated: