Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63575

JavaScriptMethod & 403 - No valid crumb was included in the request

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Blocker
    • Resolution: Unresolved
    • Component/s: core
    • Environment:
      Jenkins: 2.254
      Plugins:
      <groupId>io.jenkins.plugins</groupId>
      <artifactId>jquery3-api</artifactId>
      <version>3.5.1-1</version>
    • Similar Issues:

      Description

      The following code results in a 403 - No valid crumb was included in the request when the page is loaded.

      public class MyLink implements RootAction {
          @JavaScriptMethod
          public void setUserId(final String value) {
              userId = value;
      }
      
      <st:bind var="instance" value="${it}"/>
      
      instance.setUserId($('#userId')
      

      org/kohsuke/stapler/bind.js has the following:

      if(window.jQuery === window.$) { //Is jQuery the active framework?
          $.ajax({
              type: "POST",
              url: url+methodName,
              data: stringify(a),
              contentType: 'application/x-stapler-method-invocation;charset=UTF-8',
              headers: {'Crumb':crumb},
              dataType: "json",
              success: function(data, textStatus, jqXHR) {
                  if (callback!=null) {
                      var t = {};
                      t.responseObject = function() {
                          return data;
                      };
                      callback(t);
                  }
              }
          });
          } else { //Assume prototype should work
          new Ajax.Request(url+methodName, {
              method: 'post',
              requestHeaders: {'Content-type':'application/x-stapler-method-invocation;charset=UTF-8','Crumb':crumb},
              postBody: stringify(a),
              onSuccess: function(t) {
                  if (callback!=null) {
                      t.responseObject = function() {
                          return eval('('+this.responseText+')');
                      };
                      callback(t);
                  }
              }
          });
      }
      

      And prototype.js has patch forAjax.Request to add `Jenkins-Crumb` to the request

      // KK patch -- handle crumb for POST automatically by adding a header
          if(this.options.method=="post") {
              if(this.options.requestHeaders==undefined)
                  this.options.requestHeaders = {};
              crumb.wrap(this.options.requestHeaders);
          }
      // KK patch until here
      

      Nothing for patching JQuery as far as I can tell.

      Seems a bit disjointed and would be better solved binding to the value returned from `SystemProperties.getString("hudson.security.csrf.requestfield", CrumbIssuer.DEFAULT_CRUMB_NAME)`

        Attachments

          Activity

          Hide
          drulli Ulli Hafner added a comment -

          You need to move the bind tag inside of the layout tag. Typically I place it at the bottom before the JS code:
          https://github.com/jenkinsci/warnings-ng-plugin/blob/master/plugin/src/main/resources/io/jenkins/plugins/analysis/core/model/IssuesDetail/index.jelly

          Show
          drulli Ulli Hafner added a comment - You need to move the bind tag inside of the layout tag. Typically I place it at the bottom before the JS code: https://github.com/jenkinsci/warnings-ng-plugin/blob/master/plugin/src/main/resources/io/jenkins/plugins/analysis/core/model/IssuesDetail/index.jelly
          Hide
          prg0611 Shaun Thompson added a comment -

          That was it as it looks like it was bound differently this time. I'll have to track it back to see where the difference lies.

          Was this referenced anywhere and I just missed it?

          Thanks

          Show
          prg0611 Shaun Thompson added a comment - That was it as it looks like it was bound differently this time. I'll have to track it back to see where the difference lies. Was this referenced anywhere and I just missed it? Thanks
          Hide
          drulli Ulli Hafner added a comment -

          No, this is not referenced anywhere. I never noticed that it is even possible to use the jQuery path in Stapler bind. So this never worked before with Stapler in Jenkins. I'm not sure what would be a good place to document that behavior.

          Show
          drulli Ulli Hafner added a comment - No, this is not referenced anywhere. I never noticed that it is even possible to use the jQuery path in Stapler bind. So this never worked before with Stapler in Jenkins. I'm not sure what would be a good place to document that behavior.
          Hide
          prg0611 Shaun Thompson added a comment -

          Ok good to know it wasn't just a matter of reading the doc. 1/2 the time I spend in creating a custom Jenkins plugin with any type of advanced behavior I feel like I'm treading into the unknown.

          Show
          prg0611 Shaun Thompson added a comment - Ok good to know it wasn't just a matter of reading the doc. 1/2 the time I spend in creating a custom Jenkins plugin with any type of advanced behavior I feel like I'm treading into the unknown.
          Hide
          wfollonier Wadeck Follonier added a comment -
          Show
          wfollonier Wadeck Follonier added a comment - Potential culprit: https://github.com/jenkinsci/jenkins/pull/4741/

            People

            • Assignee:
              Unassigned
              Reporter:
              prg0611 Shaun Thompson
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: