Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53462

Jenkins websites use non-trusted 'submit' event to start form submission when current browser is Firefox

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: In Progress (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: core
    • Labels:
    • Environment:
      Any Jenkins login form
    • Similar Issues:

      Description

      HTML spec [[1]|https://w3c.github.io/uievents/#trusted-events] says "Most untrusted events will not trigger default actions, with the exception of the click event.". Now Firefox doesn't comply with the spec. When I try to fix the bug [[2]|https://bugzilla.mozilla.org/show_bug.cgi?id=1370630], a regression has happened on all Jenkins websites. Users can't login Jenkins websites with Firefox anymore. After some experiments, it seems the Jenkins websites detect the browser's user agent and use untrusted 'submit' event to start form submission when the current browser is Firefox. Changing the UA of Chrome to the same string as Firefox also block the form submission.

       

      The steps I used to reproduce this problem

      On Chrome

      1. Change UA to the same string as Firefox
      2. Navigate https://jenkins.qa.ubuntu.com/
      3. Click login
      4. Enter username/password and press 'log in' button
      5. Nothing happened

      Expectation

      Don't use untrusted events to start form submission on Jenkins websites.

       

      [1] https://w3c.github.io/uievents/#trusted-events

      [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1370630

       

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -
            Show
            danielbeck Daniel Beck added a comment - https://github.com/jenkinsci/jenkins/pull/3689/files is more general than that.
            Hide
            whimboo Henrik Skupin added a comment -

            Oh, I thought that this issue was about a custom behavior only used for Firefox; as stated in the issue summary. So the non-trusted `submit` event was used for all browsers then?

            Show
            whimboo Henrik Skupin added a comment - Oh, I thought that this issue was about a custom behavior only used for Firefox; as stated in the issue summary. So the non-trusted `submit` event was used for all browsers then?
            Hide
            jglick Jesse Glick added a comment -

            JENKINS-54233 was recently reported, though I cannot reproduce it and it does not seem to have anything to do with clicking buttons (though it does look like a JavaScript issue).

            Show
            jglick Jesse Glick added a comment - JENKINS-54233 was recently reported, though I cannot reproduce it and it does not seem to have anything to do with clicking buttons (though it does look like a JavaScript issue).
            Hide
            danielbeck Daniel Beck added a comment - - edited

            Proposed reversal of the fix in https://github.com/jenkinsci/jenkins/pull/3760 due to regressions it caused (especially for the upcoming 2.150.x LTS line).

            Proposed amendment of the fix in https://github.com/jenkinsci/jenkins/pull/3761 in the hopes it would solve the problem. Due to time constraints this has undergone minimal testing, would appreciate if others could take a look.
            https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/main/jenkins-war/2.152-rc27510.acc4eec688a0/ has the jenkins.war for this PR, which currently is 2.151 + the specific change.

            Show
            danielbeck Daniel Beck added a comment - - edited Proposed reversal of the fix in https://github.com/jenkinsci/jenkins/pull/3760 due to regressions it caused (especially for the upcoming 2.150.x LTS line). Proposed amendment of the fix in https://github.com/jenkinsci/jenkins/pull/3761 in the hopes it would solve the problem. Due to time constraints this has undergone minimal testing, would appreciate if others could take a look. https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/main/jenkins-war/2.152-rc27510.acc4eec688a0/ has the jenkins.war for this PR, which currently is 2.151 + the specific change.
            Hide
            whimboo Henrik Skupin added a comment -

            Thank you for the update Daniel! I also asked on https://bugzilla.mozilla.org/show_bug.cgi?id=1399783 if someone could help testing it with Firefox. Hope the new proposed fix will be less regression-prone and will fix it.

            Show
            whimboo Henrik Skupin added a comment - Thank you for the update Daniel! I also asked on  https://bugzilla.mozilla.org/show_bug.cgi?id=1399783 if someone could help testing it with Firefox. Hope the new proposed fix will be less regression-prone and will fix it.

              People

              • Assignee:
                tscherler Thorsten Scherler
                Reporter:
                iamstone ming-chou shih
              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated: