Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24249

Dynamic pop-up menus don't appear when "Prevent Cross Site Request Forgery exploits" is enabled

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Component/s: _unsorted, core
    • Labels:
      None
    • Environment:
      Jenkins v1.575, jenkins stand-alone war file
      ginx as a proxy server in front of jenkins
    • Similar Issues:

      Description

      When enabling the Global Security option "Prevent Cross Site Request Forgery exploits", the dynamic pop-up menus stop working (they dont appear at all anymore).

      This applies to the Job menu in a view, to items in the Build Queue and the Build Executor Status, and to the "Jenkins" breadcrumb menu (top-left corner), so seems to apply to all menus.

      "Crumb Algorithm" = "Default Crumb Issuer", and "Enable proxy compatibility" doesnt seem to make any difference.

        Attachments

          Issue Links

            Activity

            Hide
            stefanthurnherr Stefan Thurnherr added a comment -

            If this is a known down-side of enabling "Prevent Cross Site Request Forgery exploits", then it should be mentioned there, see JENKINS-15252 .

            Show
            stefanthurnherr Stefan Thurnherr added a comment - If this is a known down-side of enabling "Prevent Cross Site Request Forgery exploits", then it should be mentioned there, see JENKINS-15252 .
            Hide
            danielbeck Daniel Beck added a comment -

            I'm calling this one a duplicate of JENKINS-12875. In the default config, Nginx cannot handle the default CSRF header name ".crumb". See that issue (and issues linked there IIRC) for solutions.

            Show
            danielbeck Daniel Beck added a comment - I'm calling this one a duplicate of JENKINS-12875 . In the default config, Nginx cannot handle the default CSRF header name ".crumb". See that issue (and issues linked there IIRC) for solutions.
            Hide
            stefanthurnherr Stefan Thurnherr added a comment -

            @danielbeck: you're right: I'm getting "HTTP/1.1 403 No valid crumb was included in the request" when trying to open the pop-up menu. Sorry for not having thought about that before.

            Show
            stefanthurnherr Stefan Thurnherr added a comment - @danielbeck: you're right: I'm getting "HTTP/1.1 403 No valid crumb was included in the request" when trying to open the pop-up menu. Sorry for not having thought about that before.

              People

              • Assignee:
                Unassigned
                Reporter:
                stefanthurnherr Stefan Thurnherr
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: