Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18032

"Delete Project" link fails with 403 Exception: No valid crumb was included in the request

    Details

    • Similar Issues:

      Description

      Unable to delete any project.

        Attachments

        1. 18032-1.png
          18032-1.png
          199 kB
        2. 18032-2.png
          18032-2.png
          24 kB
        3. screenshot-1.png
          screenshot-1.png
          31 kB

          Issue Links

            Activity

            Hide
            jgenoese John Genoese added a comment - - edited

            Attachment "18032-1.png" depicts a Jenkins project home page.

            Attachment "18032-2.png" depicts the 403 response to the "Delete Project" click.

            Show
            jgenoese John Genoese added a comment - - edited Attachment "18032-1.png" depicts a Jenkins project home page. Attachment "18032-2.png" depicts the 403 response to the "Delete Project" click.
            Hide
            mepp Matthew Epp added a comment -

            Also happening on my server now that I've upgraded to 1.515. Fedora 15.

            Show
            mepp Matthew Epp added a comment - Also happening on my server now that I've upgraded to 1.515. Fedora 15.
            Hide
            mepp Matthew Epp added a comment -

            I was able to work around the issue by disabling "Prevent Cross Site Request Forgery exploits" in the global security.

            Show
            mepp Matthew Epp added a comment - I was able to work around the issue by disabling "Prevent Cross Site Request Forgery exploits" in the global security.
            Hide
            jgenoese John Genoese added a comment -

            Workaround effectiveness confirmed. Thank you.

            Show
            jgenoese John Genoese added a comment - Workaround effectiveness confirmed. Thank you.
            Hide
            jglick Jesse Glick added a comment -

            Try clearing cookies from your browser. Having too many stale session cookies can cause this error.

            Show
            jglick Jesse Glick added a comment - Try clearing cookies from your browser. Having too many stale session cookies can cause this error.
            Hide
            franciscoruiz Francisco Ruiz added a comment -

            Fixed in https://github.com/jenkinsci/jenkins/pull/798 (pending)

            Disabling "Prevent Cross Site Request Forgery exploits" is a workaround and shouldn't be done.

            Show
            franciscoruiz Francisco Ruiz added a comment - Fixed in https://github.com/jenkinsci/jenkins/pull/798 (pending) Disabling "Prevent Cross Site Request Forgery exploits" is a workaround and shouldn't be done.
            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html http://jenkins-ci.org/commit/jenkins/10a072c7d496e5a11ed94ce071938a5506ec2064 Log: JENKINS-17977 JENKINS-18032 Noting. Compare: https://github.com/jenkinsci/jenkins/compare/120716a8936f...10a072c7d496
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #2634
            JENKINS-17977 JENKINS-18032 Noting. (Revision 10a072c7d496e5a11ed94ce071938a5506ec2064)

            Result = SUCCESS
            Jesse Glick : 10a072c7d496e5a11ed94ce071938a5506ec2064
            Files :

            • changelog.html
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #2634 JENKINS-17977 JENKINS-18032 Noting. (Revision 10a072c7d496e5a11ed94ce071938a5506ec2064) Result = SUCCESS Jesse Glick : 10a072c7d496e5a11ed94ce071938a5506ec2064 Files : changelog.html
            Hide
            mireczatko Miroslav Zaťko added a comment -

            I don't think this is resolved... It is still here with Jenkins1.584,1.585

            Show
            mireczatko Miroslav Zaťko added a comment - I don't think this is resolved... It is still here with Jenkins1.584,1.585
            Hide
            thomasp Thomas Pummer added a comment - - edited

            Got the same problem in 1.581, workaround is still valid

            Show
            thomasp Thomas Pummer added a comment - - edited Got the same problem in 1.581, workaround is still valid
            Hide
            thomasp Thomas Pummer added a comment -

            Got the same problem in 1.581, workaround is still valid

            Show
            thomasp Thomas Pummer added a comment - Got the same problem in 1.581, workaround is still valid
            Hide
            danielbeck Daniel Beck added a comment -

            Thomas Pummer Miroslav Zaťko Are any of you using nginx as reverse proxy?

            Show
            danielbeck Daniel Beck added a comment - Thomas Pummer Miroslav Zaťko Are any of you using nginx as reverse proxy?
            Hide
            mireczatko Miroslav Zaťko added a comment -

            I am using Apache2.2

            Show
            mireczatko Miroslav Zaťko added a comment - I am using Apache2.2
            Hide
            danielbeck Daniel Beck added a comment -

            Do you have JavaScript enabled? Could you provide the full request (headers and form fields and everything) sent by your browser when confirming the deletion in the JavaScript popup dialog that appears after you click 'Delete Project'? Use your browser's developer tools to determine this.

            Show
            danielbeck Daniel Beck added a comment - Do you have JavaScript enabled? Could you provide the full request (headers and form fields and everything) sent by your browser when confirming the deletion in the JavaScript popup dialog that appears after you click 'Delete Project'? Use your browser's developer tools to determine this.
            Hide
            mireczatko Miroslav Zaťko added a comment - - edited

            I hope this is what you requested...

            Remote Address:95.105.145.64:443
            Request URL:https://jenkins.mirexoft.com/job/testproject/doDelete
            Request Method:POST
            Status Code:403 Forbidden
            Request Headersview parsed
            POST /job/testproject/doDelete HTTP/1.1
            Host: jenkins.mirexoft.com
            Connection: keep-alive
            Content-Length: 0
            Pragma: no-cache
            Cache-Control: no-cache
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
            Origin: https://jenkins.mirexoft.com
            User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/37.0.2062.120 Chrome/37.0.2062.120 Safari/537.36
            Content-Type: application/x-www-form-urlencoded
            Referer: https://jenkins.mirexoft.com/
            Accept-Encoding: gzip,deflate
            Accept-Language: en-US,en;q=0.8,sk;q=0.6,cs;q=0.4
            Cookie: iconSize=16x16; ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE="bXphdGtvOjE0MTUyNTk4NTQ1OTk6MTE4MGY2OTMzMWY4NmExMjlhMDdlOGY4Y2Y2N2VjYWNlNTgzMzU3YmQzMjM0NDhlZTZiOWZiZTJkN2EwMTY3OA=="; JSESSIONID=425E4C90D41505AF70EC60E0E502E5CC; screenResolution=2048x1152
            Response Headersview parsed
            HTTP/1.1 403 Forbidden
            Date: Tue, 28 Oct 2014 22:25:35 GMT
            Server: Apache-Coyote/1.1
            Content-Type: text/html;charset=utf-8
            Content-Language: en
            Vary: Accept-Encoding
            Content-Encoding: gzip
            Keep-Alive: timeout=5, max=99
            Connection: Keep-Alive
            Transfer-Encoding: chunked

            Show
            mireczatko Miroslav Zaťko added a comment - - edited I hope this is what you requested... Remote Address:95.105.145.64:443 Request URL: https://jenkins.mirexoft.com/job/testproject/doDelete Request Method:POST Status Code:403 Forbidden Request Headersview parsed POST /job/testproject/doDelete HTTP/1.1 Host: jenkins.mirexoft.com Connection: keep-alive Content-Length: 0 Pragma: no-cache Cache-Control: no-cache Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp, / ;q=0.8 Origin: https://jenkins.mirexoft.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/37.0.2062.120 Chrome/37.0.2062.120 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: https://jenkins.mirexoft.com/ Accept-Encoding: gzip,deflate Accept-Language: en-US,en;q=0.8,sk;q=0.6,cs;q=0.4 Cookie: iconSize=16x16; ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE="bXphdGtvOjE0MTUyNTk4NTQ1OTk6MTE4MGY2OTMzMWY4NmExMjlhMDdlOGY4Y2Y2N2VjYWNlNTgzMzU3YmQzMjM0NDhlZTZiOWZiZTJkN2EwMTY3OA=="; JSESSIONID=425E4C90D41505AF70EC60E0E502E5CC; screenResolution=2048x1152 Response Headersview parsed HTTP/1.1 403 Forbidden Date: Tue, 28 Oct 2014 22:25:35 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Vary: Accept-Encoding Content-Encoding: gzip Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Transfer-Encoding: chunked
            Hide
            danielbeck Daniel Beck added a comment -

            For some reason it does not include the .crumb in the request body, judging by the Content-Length: 0. When I do this, it's Content-Length: 39, and the request body is

            .crumb: "002233334555666777888aabbcccccee"

            Are there any JavaScript errors on the page that shows the Delete Project link (that could prevent the .crumb from being added to the form)?

            Show
            danielbeck Daniel Beck added a comment - For some reason it does not include the .crumb in the request body, judging by the Content-Length: 0. When I do this, it's Content-Length: 39 , and the request body is .crumb: "002233334555666777888aabbcccccee" Are there any JavaScript errors on the page that shows the Delete Project link (that could prevent the .crumb from being added to the form)?
            Hide
            danielbeck Daniel Beck added a comment -

            Unfortunately, the crumb is added at the same time the POST is sent, so one should not happen without the other.

            In Firefox 33, I can suspend JavaScript in the debugger while the dialog shows. When I then confirm deletion, and Step Over one instruction, I'm in the inline script block that handles the form submit triggered by the confirmation. (In the HTML, it's the next sibling element after the Delete Project link.) Could you step over until after crumb.appendToForm(form) and then check what e.g. form.innerHTML looks like? For me, it's <div><input name=".crumb" value="002233335556667777888aabbcccccee" type="hidden"></div>

            Show
            danielbeck Daniel Beck added a comment - Unfortunately, the crumb is added at the same time the POST is sent, so one should not happen without the other. In Firefox 33, I can suspend JavaScript in the debugger while the dialog shows. When I then confirm deletion, and Step Over one instruction, I'm in the inline script block that handles the form submit triggered by the confirmation. (In the HTML, it's the next sibling element after the Delete Project link.) Could you step over until after crumb.appendToForm(form) and then check what e.g. form.innerHTML looks like? For me, it's <div><input name=".crumb" value="002233335556667777888aabbcccccee" type="hidden"></div>
            Hide
            mireczatko Miroslav Zaťko added a comment -

            I'm not able to go as deep to source code however I don't see any javascript error...

            Show
            mireczatko Miroslav Zaťko added a comment - I'm not able to go as deep to source code however I don't see any javascript error...
            Hide
            thomasp Thomas Pummer added a comment -

            After using the workaround (Disabling "Prevent Cross Site Request Forgery exploits") it could not be reproduced at our jenkins installation, even if it was turned back on.

            Show
            thomasp Thomas Pummer added a comment - After using the workaround (Disabling "Prevent Cross Site Request Forgery exploits") it could not be reproduced at our jenkins installation, even if it was turned back on.
            Hide
            danielbeck Daniel Beck added a comment -

            In the security configuration where CSRF protection is selected, is the Default Crumb Issuer also selected?

            Show
            danielbeck Daniel Beck added a comment - In the security configuration where CSRF protection is selected, is the Default Crumb Issuer also selected?
            Hide
            danielbeck Daniel Beck added a comment -

            Note that this can happen whenever you click a link or button before the page finishes loading (e.g. because an image takes long to load). There's JavaScript running in the background while the page loads and before that's done, the form will lack the crumb.

            So make sure to wait until the page finished loading before clicking around.

            Show
            danielbeck Daniel Beck added a comment - Note that this can happen whenever you click a link or button before the page finishes loading (e.g. because an image takes long to load). There's JavaScript running in the background while the page loads and before that's done, the form will lack the crumb. So make sure to wait until the page finished loading before clicking around.
            Hide
            ntkach Nick Tkach added a comment -

            We're getting users with the same problem sporadically. Yes, we do have the CSRF protection enabled and the "Default Crumb Issuer" also checked. It seems to happen regardless of browser (done it at least on Firefox and Chrome) and regardless of platform (done it on OS X, Linux, and Windows). We're seeing it on Jenkins LTS 1.580.1.1 (Cloudbees Enterprise 14.11).

            Show
            ntkach Nick Tkach added a comment - We're getting users with the same problem sporadically. Yes, we do have the CSRF protection enabled and the "Default Crumb Issuer" also checked. It seems to happen regardless of browser (done it at least on Firefox and Chrome) and regardless of platform (done it on OS X, Linux, and Windows). We're seeing it on Jenkins LTS 1.580.1.1 (Cloudbees Enterprise 14.11).
            Hide
            jglick Jesse Glick added a comment -

            Nick Tkach Jenkins Enterprise customers should file a support ticket so we can work directly on diagnosis. Obviously if that leads ultimately to discovery and fix of a bug in open-source Jenkins code, then great.

            Show
            jglick Jesse Glick added a comment - Nick Tkach Jenkins Enterprise customers should file a support ticket so we can work directly on diagnosis. Obviously if that leads ultimately to discovery and fix of a bug in open-source Jenkins code, then great.
            Hide
            danielbeck Daniel Beck added a comment -

            Nick Tkach If it happens sporadically, make sure the web page finished loading when you click the link, as only then will the crumb have been attached to it.

            Show
            danielbeck Daniel Beck added a comment - Nick Tkach If it happens sporadically , make sure the web page finished loading when you click the link, as only then will the crumb have been attached to it.
            Hide
            romanp Roman Pickl added a comment -

            I get the same error if I try to delete a job via click in the context menu in the job overview -> context menu.

            Jenkins ver. 1.580.1

            Show
            romanp Roman Pickl added a comment - I get the same error if I try to delete a job via click in the context menu in the job overview -> context menu. Jenkins ver. 1.580.1
            Hide
            elephantjim Jim Rath added a comment -

            If you're using Jenkins behind a reverse proxy using nginx, see JENKINS-12875. The .crumb header gets ignored by default by nginx.

            Show
            elephantjim Jim Rath added a comment - If you're using Jenkins behind a reverse proxy using nginx, see JENKINS-12875 . The .crumb header gets ignored by default by nginx.
            Hide
            danielbeck Daniel Beck added a comment -

            Nick Tkach Did you find out what the cause for your issue was?

            Jim Rath: Good reference, but when it's sporadic (Nick), or happens behind Apache (Miroslav), it's a different issue.

            Show
            danielbeck Daniel Beck added a comment - Nick Tkach Did you find out what the cause for your issue was? Jim Rath : Good reference, but when it's sporadic (Nick), or happens behind Apache (Miroslav), it's a different issue.
            Hide
            danielbeck Daniel Beck added a comment -

            Anyone still experiencing this issue, but not behind nginx reverse proxy, after the web page finished loading, etc?

            Show
            danielbeck Daniel Beck added a comment - Anyone still experiencing this issue, but not behind nginx reverse proxy, after the web page finished loading, etc?
            Hide
            jgenoese John Genoese added a comment -

            Is there a fix release that I can download and test?

            Show
            jgenoese John Genoese added a comment - Is there a fix release that I can download and test?
            Hide
            danielbeck Daniel Beck added a comment -

            I don't think this specific issue has been addressed. I'd like to get some updated information, so if anyone still has this problem on a recent version of Jenkins (1.6xx), please let me know. https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue may be a helpful read – the more information you can provide, the better.

            Show
            danielbeck Daniel Beck added a comment - I don't think this specific issue has been addressed. I'd like to get some updated information, so if anyone still has this problem on a recent version of Jenkins (1.6xx), please let me know. https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue may be a helpful read – the more information you can provide, the better.
            Hide
            bleeme Wei-min Lee added a comment -

            This happens from the Dashboard view when you choose Delete Project from the project dropdown menu.

            Show
            bleeme Wei-min Lee added a comment - This happens from the Dashboard view when you choose Delete Project from the project dropdown menu.
            Hide
            romanp Roman Pickl added a comment -

            i can confirm this in version 1.596.3

            Show
            romanp Roman Pickl added a comment - i can confirm this in version 1.596.3
            Hide
            hany Hany Fahim added a comment - - edited

            This issue also appears to affect 1.620. Are there any workarounds for this? I can confirm that the crumb header makes it through with other requests, just not when deleting, and possibly others as well.

            Show
            hany Hany Fahim added a comment - - edited This issue also appears to affect 1.620. Are there any workarounds for this? I can confirm that the crumb header makes it through with other requests, just not when deleting, and possibly others as well.
            Hide
            danielbeck Daniel Beck added a comment -

            Appears to only affect the "Delete Project" link in the popup menu. Workaround is then to navigate to the project and click the link there.

            Anyone experiencing something different?

            Show
            danielbeck Daniel Beck added a comment - Appears to only affect the "Delete Project" link in the popup menu. Workaround is then to navigate to the project and click the link there. Anyone experiencing something different?
            Hide
            sumith_ml Sumith Augustine added a comment -

            I have the same issue, and the workaround is the same as mentioned by Daniel Beck Navigate to the project >> Delete Project (on the left hand side) >> and confirm.

            Show
            sumith_ml Sumith Augustine added a comment - I have the same issue, and the workaround is the same as mentioned by Daniel Beck Navigate to the project >> Delete Project (on the left hand side) >> and confirm.
            Hide
            danielbeck Daniel Beck added a comment -

            Easy workaround is present (see preceding comments), so lowering priority.

            Show
            danielbeck Daniel Beck added a comment - Easy workaround is present (see preceding comments), so lowering priority.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/resources/lib/layout/breadcrumbs.js
            http://jenkins-ci.org/commit/jenkins/57fced93596b1f8bd69f00f154430a11530393de
            Log:
            [FIXED JENKINS-18032] Crumbs must be appended when using post=true requiresConfirmation=true.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/resources/lib/layout/breadcrumbs.js http://jenkins-ci.org/commit/jenkins/57fced93596b1f8bd69f00f154430a11530393de Log: [FIXED JENKINS-18032] Crumbs must be appended when using post=true requiresConfirmation=true.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/resources/lib/layout/breadcrumbs.js
            http://jenkins-ci.org/commit/jenkins/37111bf12e5038fcd240bbefb3aa9474e45585c2
            Log:
            Merge pull request #2131 from jglick/requiresConfirmation-post-context-menu-JENKINS-18032

            JENKINS-18032 Fix Delete Project from context menu when using CSRF defense

            Compare: https://github.com/jenkinsci/jenkins/compare/35ec989afffc...37111bf12e50

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/lib/layout/breadcrumbs.js http://jenkins-ci.org/commit/jenkins/37111bf12e5038fcd240bbefb3aa9474e45585c2 Log: Merge pull request #2131 from jglick/requiresConfirmation-post-context-menu- JENKINS-18032 JENKINS-18032 Fix Delete Project from context menu when using CSRF defense Compare: https://github.com/jenkinsci/jenkins/compare/35ec989afffc...37111bf12e50
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #4511
            [FIXED JENKINS-18032] Crumbs must be appended when using post=true (Revision 57fced93596b1f8bd69f00f154430a11530393de)

            Result = SUCCESS
            jesse glick : 57fced93596b1f8bd69f00f154430a11530393de
            Files :

            • core/src/main/resources/lib/layout/breadcrumbs.js
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #4511 [FIXED JENKINS-18032] Crumbs must be appended when using post=true (Revision 57fced93596b1f8bd69f00f154430a11530393de) Result = SUCCESS jesse glick : 57fced93596b1f8bd69f00f154430a11530393de Files : core/src/main/resources/lib/layout/breadcrumbs.js
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/resources/lib/layout/breadcrumbs.js
            http://jenkins-ci.org/commit/jenkins/328be10df62c8d349e6f1b76939aed13b5784e80
            Log:
            [FIXED JENKINS-18032] Crumbs must be appended when using post=true requiresConfirmation=true.
            (cherry picked from commit 57fced93596b1f8bd69f00f154430a11530393de)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/resources/lib/layout/breadcrumbs.js http://jenkins-ci.org/commit/jenkins/328be10df62c8d349e6f1b76939aed13b5784e80 Log: [FIXED JENKINS-18032] Crumbs must be appended when using post=true requiresConfirmation=true. (cherry picked from commit 57fced93596b1f8bd69f00f154430a11530393de)

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jgenoese John Genoese
              • Votes:
                4 Vote for this issue
                Watchers:
                20 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: