Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53462

Jenkins websites use non-trusted 'submit' event to start form submission when current browser is Firefox

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: core
    • Labels:
    • Environment:
      classic login form (before 2.128), regular "Save" form submission buttons on the classic UI
    • Similar Issues:
    • Released As:
      Jenkins 2.173

      Description

      HTML spec [[1]|https://w3c.github.io/uievents/#trusted-events] says "Most untrusted events will not trigger default actions, with the exception of the click event.". Now Firefox doesn't comply with the spec. When I try to fix the bug [[2]|https://bugzilla.mozilla.org/show_bug.cgi?id=1370630], a regression has happened on all Jenkins websites. Users can't login Jenkins websites with Firefox anymore. After some experiments, it seems the Jenkins websites detect the browser's user agent and use untrusted 'submit' event to start form submission when the current browser is Firefox. Changing the UA of Chrome to the same string as Firefox also block the form submission.

       

      The steps I used to reproduce this problem

      On Chrome

      1. Change UA to the same string as Firefox
      2. Navigate https://jenkins.qa.ubuntu.com/
      3. Click login
      4. Enter username/password and press 'log in' button
      5. Nothing happened

      Expectation

      Don't use untrusted events to start form submission on Jenkins websites.

       

      [1] https://w3c.github.io/uievents/#trusted-events

      [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1370630

       

        Attachments

          Issue Links

            Activity

            Hide
            olivergondza Oliver Gondža added a comment - - edited

            Cool, thanks! I am backporting this to 2.164.3 to be released 2019-04-08 (EDIT: 2019-05-08), unless further regressions are found.

            Henrik Skupin, I do appreciate the effort put in making sure Jenkins is ready for the fix in Firefox. Though I am wondering if there is a chance to postpone the delivery until significant Jenkins (or what other applications are affected) userbase migrate to the fixed version.

            Show
            olivergondza Oliver Gondža added a comment - - edited Cool, thanks! I am backporting this to 2.164.3 to be released 2019-04-08 (EDIT: 2019-05-08), unless further regressions are found. Henrik Skupin , I do appreciate the effort put in making sure Jenkins is ready for the fix in Firefox. Though I am wondering if there is a chance to postpone the delivery until significant Jenkins (or what other applications are affected) userbase migrate to the fixed version.
            Hide
            whimboo Henrik Skupin added a comment -

            I assume you mean 2019-05-08.

            We can post-pone for sure. It's not that this patch is critical, and we already waited a while for it. Do you have some stats in how long it takes for the majority of users to upgrade to the next LTS release? Will it be one week, or two? Also note that the fix will land on mozilla-central only, which means it will only be part of a nightly build. Those people are tech-aware and should upgrade their instances fast enough.

             

            Our next merge to beta is on 2019-05-13, so I would suggest to at least wait until 2019-05-14 before landing that change in Firefox Nightly (69).

            Show
            whimboo Henrik Skupin added a comment - I assume you mean 2019-05-08. We can post-pone for sure. It's not that this patch is critical, and we already waited a while for it. Do you have some stats in how long it takes for the majority of users to upgrade to the next LTS release? Will it be one week, or two? Also note that the fix will land on mozilla-central only, which means it will only be part of a nightly build. Those people are tech-aware and should upgrade their instances fast enough.   Our next merge to beta is on 2019-05-13, so I would suggest to at least wait until 2019-05-14 before landing that change in Firefox Nightly (69).
            Hide
            danielbeck Daniel Beck added a comment -

            Henrik Skupin We are unfamiliar with the Firefox release schedule, could you clarify what that means in terms of rolling out the change to regular users? Those who are on 66.0.3 right now?

            For Jenkins, based on usage statistics, 60% of LTS users are within the last 4 LTS releases (~4 months), and 50% of weekly release users are within the last 16 releases (~3.5 months). So I expect the majority of Jenkins users to be on compatible releases around August/September, and they can update no later than May (for LTS), and should already be updated (for weekly releases).

            From a project POV, we only consider the latest LTS and weekly releases (e.g. only those get security fixes) to be supported. Of course users may lag behind in updating, and for some setups, updating Jenkins is a big project. The question the Firefox team will need to answer is, how aggressively do they want to annoy Firefox+Jenkins users that update one but not the other.

            Show
            danielbeck Daniel Beck added a comment - Henrik Skupin We are unfamiliar with the Firefox release schedule, could you clarify what that means in terms of rolling out the change to regular users? Those who are on 66.0.3 right now? For Jenkins, based on usage statistics, 60% of LTS users are within the last 4 LTS releases (~4 months), and 50% of weekly release users are within the last 16 releases (~3.5 months). So I expect the majority of Jenkins users to be on compatible releases around August/September, and they can update no later than May (for LTS), and should already be updated (for weekly releases). From a project POV, we only consider the latest LTS and weekly releases (e.g. only those get security fixes) to be supported. Of course users may lag behind in updating, and for some setups, updating Jenkins is a big project. The question the Firefox team will need to answer is, how aggressively do they want to annoy Firefox+Jenkins users that update one but not the other.
            Hide
            whimboo Henrik Skupin added a comment -

            Daniel Beck thank you for bringing this up. It's actually not my job to make such a decision, so I will leave it up to the release managers to decide. I will clearly reference your last comment, so that they are aware of the situation for Jenkins users.

             

            Show
            whimboo Henrik Skupin added a comment - Daniel Beck thank you for bringing this up. It's actually not my job to make such a decision, so I will leave it up to the release managers to decide. I will clearly reference your last comment, so that they are aware of the situation for Jenkins users.  
            Hide
            whimboo Henrik Skupin added a comment - - edited

            Ok, so here an update. If that patch sticks and will not be backed out again, we will land the Firefox patch for Firefox 69 on May 14th or 15th. Which means it will ride the trains through beta, and will finally be released on Sep 3rd. If by that time there are still users who running a Jenkins LTS release earlier than 2.164.3, they will have to use Firefox 68 ESR. That ESR version will be maintained for another year, and will never have this patch included. Details see https://bugzilla.mozilla.org/show_bug.cgi?id=1370630#c41 and following.

             

            Thanks a lot again for the patch! It will unblock us from landing several features which are all blocked by this particular issue.

            Show
            whimboo Henrik Skupin added a comment - - edited Ok, so here an update. If that patch sticks and will not be backed out again, we will land the Firefox patch for Firefox 69 on May 14th or 15th. Which means it will ride the trains through beta, and will finally be released on Sep 3rd. If by that time there are still users who running a Jenkins LTS release earlier than 2.164.3, they will have to use Firefox 68 ESR. That ESR version will be maintained for another year, and will never have this patch included. Details see https://bugzilla.mozilla.org/show_bug.cgi?id=1370630#c41 and following.   Thanks a lot again for the patch! It will unblock us from landing several features which are all blocked by this particular issue.

              People

              • Assignee:
                danielbeck Daniel Beck
                Reporter:
                iamstone ming-chou shih
              • Votes:
                1 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: