preventDefault() on form.dispatchEvent(new Event('submit'))?
Categories
(Core :: DOM: Forms, defect, P3)
Tracking
()
People
(Reporter: janx, Assigned: edgar)
References
(Blocks 1 open bug, )
Details
(Keywords: dev-doc-needed, site-compat)
Attachments
(2 files, 2 obsolete files)
When pasting the following address into various browsers, we get different results: data:text/html, <form action="https://www.mozilla.org/" id="form"> <input type="submit" value="Navigate maybe"> </form> <script> var form = document.getElementById("form"); form.addEventListener("submit", function (event) { console.log(event.cancelable); event.preventDefault(); }); form.dispatchEvent(new Event('submit')); </script> - Firefox will navigate away (`event.preventDefault()` won't work) - Chrome will not navigate away (`event.preventDefault()` will have the last word) The correct behavior according to specs is to navigate (like Firefox does), because `new Event('submit')` is not cancelable unless you specify `new Event('submit', { cancelable: true })`. I'm not sure if Chrome's behavior is a bug, or if it's intended to be helpful (my code does look like I'm trying hard not to submit), so I'll file a Chrome bug as well. See also: https://stackoverflow.com/questions/40916300/how-can-i-preventdefault-on-dispatchevent
Reporter | ||
Updated•7 years ago
|
Comment 1•7 years ago
|
||
Thanks for the bug! It would be useful to know if this breaks sites for us to help us decide what to do here (i.e., implement Chrome's behavior and update the spec, or just close as INVALID). I added the "hotlist-interop" label to the Chromium bug.
Comment 2•7 years ago
|
||
Stone may have thoughts here. Otherwise we can wait for Anne to return from PTO.
Comment 3•7 years ago
|
||
Like Janx's description, FF follows the spec and Chrome's behavior is helpful to web authors. Considering to be helpful to web authors, maybe we could consider giving the corresponding values of bubbles and cancelable for each kind of event so that users could simply create an event and dispatch it without caring the bubbles and cancelable values. But I don't know if it's worth to do it.
Updated•7 years ago
|
Reporter | ||
Comment 4•7 years ago
|
||
FYI, the Chromium bug was closed as WONTFIX: From https://bugs.chromium.org/p/chromium/issues/detail?id=730108#c4 > This is a bug of Firefox. Dispatching non-trusted 'submit' event should not start form submission. The specification doesn't define such behavior AFAIK.
Reporter | ||
Comment 5•7 years ago
|
||
FYI Safari and Edge don't seem to navigate away either (Chrome's behavior). Firefox seems to be the only browser that navigates away on the example code.
Comment 6•7 years ago
|
||
According to [1], untrusted events shouldn't trigger the UA default actions. [1] https://www.w3.org/TR/uievents/#trusted-events
Comment 7•7 years ago
|
||
Comment 8•7 years ago
|
||
To close my needinfo: Ming-Chou is correct (although note that there's an exception for the click event, as defined by https://dom.spec.whatwg.org/ in the Events section).
Updated•7 years ago
|
Comment 9•7 years ago
|
||
Comment on attachment 8879069 [details] [diff] [review] Bug 1370630 - Untrusted submit event shouldn't trigger form submission Need to change also HTMLFormElement::GetEventTargetParent and maybe also HTMLFormElement::WillHandleEvent
Comment 10•7 years ago
|
||
Comment 11•7 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #9) > Comment on attachment 8879069 [details] [diff] [review] > Bug 1370630 - Untrusted submit event shouldn't trigger form submission > > Need to change also HTMLFormElement::GetEventTargetParent and maybe also > HTMLFormElement::WillHandleEvent I didn't change WillHandleEvent because it's related to the event propagation of nested form elements and I don't see a reason to have different behaviors of trusted or untrusted events.
Updated•7 years ago
|
Updated•7 years ago
|
Comment 12•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=5c9c71651d96b9551ad80b0f91857d62ccf58efe
Comment 13•7 years ago
|
||
Pushed by sshih@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/367b6f947f87 Untrusted submit event shouldn't trigger form submission. r=smaug.
Comment 14•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/367b6f947f87
Comment 15•7 years ago
|
||
So, I have a mozilla-internal jenkins site (that uses YUI), that has been broken by this. I used mozregression to bisect the site problem back to exactly this change. Unfortunately, that site is not available to mozilla employees in general, so not sure how to give you something you can debug. Although, perhaps since this change might have impact on sites, this may be just an example of one (Jenkins).
Comment 16•7 years ago
|
||
reopened & marked as regression to catch folks eyes sooner.
Comment 17•7 years ago
|
||
Note: the site does work Chrome Version 59.0.3071.115 on macOS 10.12.5
Comment 18•7 years ago
|
||
This one is fixed. Please file a followup bug or ask this one to be backed out (and once backed out, reopen).
Comment 19•7 years ago
|
||
John, do you know why the site works on Chrome? I assume Jenkins uses some Gecko specific code it shoudn't use.
Comment 20•7 years ago
|
||
Mozregression shows this bug breaks https://webcompat.com/issues/8128 or any jenkins login, any idea?
Comment 21•7 years ago
|
||
Backout by sshih@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/c7c8b33ba324 Backed out changeset 367b6f947f87 for breaking mozilla-internal jenkins site. r=backout.
Comment 22•7 years ago
|
||
Added an URL of a public Jenkins server
Updated•7 years ago
|
Comment 23•7 years ago
|
||
backout bugherder |
https://hg.mozilla.org/mozilla-central/rev/c7c8b33ba324
Updated•7 years ago
|
Updated•7 years ago
|
Comment 25•7 years ago
|
||
Change Chrome's user agent to be the same as Firefox, Chrome doesn't work anymore. Apply my patch and change the user agent to be the same as Chrome, button submission works.
Comment 26•7 years ago
|
||
(In reply to Ming-Chou Shih [:stone] from comment #25) > Change Chrome's user agent to be the same as Firefox, Chrome doesn't work > anymore. Apply my patch and change the user agent to be the same as Chrome, > button submission works. Hi Eric, According to the testing results, it's because the website behaves differently for different user agents and I have no idea how to proceed. Any suggestions about it?
Comment 27•7 years ago
|
||
hi :stone, could you help to update some more detail about different behavior from which website? the public Jenkins server or mine private one?
Comment 28•7 years ago
|
||
I verified on http://jenkins2.legacyserver.in/ I can verify it on the public server later.
Comment 29•7 years ago
|
||
(In reply to Ming-Chou Shih [:stone] from comment #28) > I verified on http://jenkins2.legacyserver.in/ > > I can verify it on the public server later. Oops. I don't have an account nor find a link to sign up.
Comment 30•7 years ago
|
||
(In reply to Ming-Chou Shih [:stone] from comment #29) > (In reply to Ming-Chou Shih [:stone] from comment #28) > > I verified on http://jenkins2.legacyserver.in/ > > > > I can verify it on the public server later. > Oops. I don't have an account nor find a link to sign up. Hi Eric, I only can confirm that the problem on [1] is caused by the user agent. I don't have access to the public jenkins website [2]. Any suggestions? [1] http://jenkins2.legacyserver.in/ [2] https://jenkins.qa.ubuntu.com/login?from=%2F
Comment 31•7 years ago
|
||
Per-talk with :stone, I think if it's solved in an internal jenkins server, we should land first to make sure the behavior is correct. If there is any UA detection makes this not work, please file another bug in webcompat general or Tech_Evangelism to outreach.
Assignee | ||
Updated•6 years ago
|
Comment 32•6 years ago
|
||
https://github.com/jenkinsci/jenkins/pull/3689 is a PR to make Jenkins work again as soon the fix has landed in FF, however that means the server needs to use the newest version of jenkins or patch their version of hudson-behavior.js as demonstrated in the pr.
Assignee | ||
Updated•6 years ago
|
Comment 34•6 years ago
|
||
:stone, would you mind updating the patch? As https://issues.jenkins-ci.org/browse/JENKINS-53462 states the depending Jenkins issue will be fixed soon. As such it would be great to have a build for testing the fix. Thanks!
Assignee | ||
Comment 35•6 years ago
|
||
Assignee | ||
Comment 36•6 years ago
|
||
:stone is no longer active. I have rebased the patch and also triggered a try run, https://treeherder.mozilla.org/#/jobs?repo=try&revision=3f12e17b558a36ef5b65235d663c4e617c3d328e
Comment 37•6 years ago
|
||
Thanks Edgar! I will forward that link to the Jenkins people for testing.
Comment 38•6 years ago
|
||
So the Jenkins patch was tested with the above try build of Firefox, and they were able to confirm that their fix works with the patch on this bug. So it will go live in Jenkins 2.174. When the LTS release will get the fix isn't clear yet. But here the comment from one of the maintainers:
2.164.3, scheduled for May 8, the earliest, if accepted as a backport. The next .1, scheduled for early June, otherwise. Assuming of course we don't cause regressions again.
As such we might have to wait until early June at latest before we can push this patch. I will keep an eye on the releases, and will let you know.
Comment 39•6 years ago
|
||
Actually including this patch in Firefox in the near future might not be easy given the following reply from Daniel Beck about the usage statistics of Jenkins LTS versions:
Sylvestre, what is the take from Release managers in how best we can get this fixed without annoying users of Jenkins?
Comment 40•6 years ago
|
||
We would need to get the patch in nightly.
Depends when Edgar can get it landed but it will be probably too late for 67
Comment 41•6 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #40)
We would need to get the patch in nightly.
That for sure...
Depends when Edgar can get it landed but it will be probably too late for 67
No, we don't clearly want it for 67 and maybe also not for 68, whereby this would be great. Please see the link from my last comment in why this is a bit more complicated to land without affecting Jenkins users. If we don't care we could land after the next merge. Then there are still 12 weeks left before we reach release, but some users might not have updated their Jenkins installation by then. From my experience I can say it's not always easy and takes time.
So landing this patch for Firefox 69 affected Jenkins folks could still use our upcoming Firefox 68 ESR release with older versions of Jenkins. Maybe that could be a compromise?
Comment 42•6 years ago
|
||
Forwarding needinfo for the last comment from Sylvestre to Mike.
Comment 43•6 years ago
|
||
So landing this patch for Firefox 69 affected Jenkins folks could still use our upcoming Firefox 68 ESR release with older versions of Jenkins. Maybe that could be a compromise?
That sounds reasonable to me.
Comment 44•6 years ago
|
||
Great! So lets wait for May 14th or 15th when the next merge has been done. I will set a reminder for it.
Comment 45•5 years ago
|
||
FYI a new Jenkins LTS got released 2 days ago:
https://jenkins.io/changelog-stable/#v2.164.3
And it contains:
Make form submit buttons on the Jenkins classic UI compatible with potentially upcoming Firefox bug fix. (issue 53462, Firefox bug 1370630)
Hopefully we will be able to land this patch after our next merge. I will continue to monitor.
Comment 46•5 years ago
|
||
After 14 days there are still no reports for Jenkins which claim that their patch has been caused any kind of problems. As such do we want to move forward on this bug and get the patch landed for Firefox 69 only?
Assignee | ||
Comment 47•5 years ago
|
||
(In reply to Henrik Skupin (:whimboo) [⌚️UTC+2] from comment #46)
After 14 days there are still no reports for Jenkins which claim that their patch has been caused any kind of problems. As such do we want to move forward on this bug and get the patch landed for Firefox 69 only?
Yes, lets land this patch for 69. Thanks.
Comment 48•5 years ago
|
||
Pushed by echen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ab9d5eeaa90e Untrusted submit event shouldn't trigger form submission; r=smaug
Comment 49•5 years ago
|
||
bugherder |
Comment 51•5 years ago
|
||
Edgar, is that a change we actually should put into the developer release notes for the 69 release?
Assignee | ||
Comment 52•5 years ago
|
||
Release Note Request (optional, but appreciated)
[Why is this notable]: Form submission now won't be triggered by un-trusted event which is generated from web page, some web page might rely on this special behavior of Firefox, like bug 1399783. It's better to put into release notes.
[Affects Firefox for Android]: Yes
[Suggested wording]:
[Links (documentation, blog post, etc)]:
Comment 53•5 years ago
|
||
That's a developer note that is needed, so MDN works. Adjusting flags accordingly.
Updated•5 years ago
|
Comment 54•5 years ago
|
||
Is there any effective difference between patch landed here and that in bug 1535988?
The patch in bug 1535988 caused bug 1537555 and thus was reverted. Would this change cause the exactly the same issue again?
Comment 55•5 years ago
|
||
And it seems that the answer is yes. Bug 1556980 is just the new bug 1537555 :/
Comment 56•5 years ago
|
||
Posted site compatibility note: https://www.fxsitecompat.dev/en-CA/docs/2019/untrusted-submit-event-can-no-longer-trigger-form-submission/
Comment 57•5 years ago
|
||
(In reply to Xidorn Quan [:xidorn] UTC+10 from comment #54)
Is there any effective difference between patch landed here and that in bug 1535988?
The patch in bug 1535988 caused bug 1537555 and thus was reverted. Would this change cause the exactly the same issue again?
Right. Need to back out.
Comment 59•5 years ago
|
||
Actually, it seems that Edgar is on leave. Oops.
Olli, can you help w/ the backout?
Comment 60•5 years ago
|
||
Oh wait, I can just ask a Sheriff. Sorry for the mailspam.
Comment 61•5 years ago
|
||
Backed out changeset ab9d5eeaa90e (bug 1370630) on dev's request
Backout:
https://hg.mozilla.org/integration/autoland/rev/08a4f86a9afa4b2957e0438f9fa8f86778eb3b7f
Comment 62•5 years ago
|
||
Ryan, how do I request uplift for a backout changeset? The original patch landed in 69, but the backout happened in 70.
Comment 63•5 years ago
|
||
Yeah, let's get the backout on Beta too before we build 69.0b4.
Comment 65•5 years ago
|
||
uplift |
Comment 66•5 years ago
|
||
So do I understand correctly that landing of this patch is blocked by pages still using YUI2 which is deprecated since 2011? Or is there something more?
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 67•4 years ago
|
||
Hi Dennis, we would like to remove this firefox-only behaviour, but Jenkins does some UA detection and does different things, idealy they should just do the same thing as other browsers. Per https://github.com/jenkinsci/jenkins/pull/3689, it seems Jenkins already landed the issue, but https://issues.jenkins-ci.org/browse/JENKINS-53462 was reopen? Could someone from webcompat team help to check the status of Jenkins? Thanks
In the mean time, I will try to add Telemetry to see the usage of this.
Updated•4 years ago
|
Comment 68•4 years ago
|
||
This is probably something for Henrik, as he was in touch with the Jenkins folk in their issue tracker. Henrik, can you ping them again? :)
Comment 69•4 years ago
|
||
I asked on the Jenkins issue. Will report back when I get an update.
Comment 70•4 years ago
|
||
(In reply to Edgar Chen [:edgar] from comment #67)
Hi Dennis, we would like to remove this firefox-only behaviour, but Jenkins does some UA detection and does different things, idealy they should
So what about the YUI 2.x issues that were detected in comment 54 and following? As a result of that your patch on this bug has been backed out from 69 beta. Did anything change here in the last year?
Comment 71•4 years ago
|
||
Edgar it would be great to get your feedback here. The Selenium project cannot make the change without that bug fixed first.
Assignee | ||
Comment 72•4 years ago
•
|
||
(In reply to Henrik Skupin (:whimboo) [⌚️UTC+2] from comment #70)
So what about the YUI 2.x issues that were detected in comment 54 and following?
Yes, the issue still there, not sure how YUI3 handle this.
As a result of that your patch on this bug has been backed out from 69 beta. Did anything change here in the last year?
No, just try to make some progress, what I plan to do is
- Land the fix, but behind a pref and off by default.
- Add Telemetry to see the usage of this.
- Maybe show some warnning on console saying this is deprecated.
Comment 73•4 years ago
|
||
That sounds fine. I can reach out to Jenkins again whenever we know that we want to turn this feature on by default. Note that the best time might be again after the next major ESR release whatever this will be?
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 75•4 years ago
|
||
Comment 76•4 years ago
|
||
Pushed by echen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/49f51744024c Untrusted submit event shouldn't trigger form submission; r=smaug
Updated•4 years ago
|
Comment 77•4 years ago
|
||
bugherder |
Comment 78•4 years ago
|
||
Edgar please let me know when I should reach out to the Jenkins community again, and with which information. Thanks.
Comment 79•4 years ago
|
||
Comment on attachment 9201179 [details]
Bug 1370630 - Add UserCounter and deprecate warnning message for form submission via untrusted submit event;
Revision D104070 was moved to bug 1691357. Setting attachment 9201179 [details] to obsolete.
Comment 80•4 years ago
|
||
(In reply to Edgar Chen [:edgar] from comment #72)
No, just try to make some progress, what I plan to do is
- Land the fix, but behind a pref and off by default.
- Add Telemetry to see the usage of this.
- Maybe show some warnning on console saying this is deprecated.
Hi Edgar, would you mind to give an update of where we are right now? Thanks
Assignee | ||
Comment 81•4 years ago
|
||
(In reply to Henrik Skupin (:whimboo) [⌚️UTC+1] from comment #80)
(In reply to Edgar Chen [:edgar] from comment #72)
- Land the fix, but behind a pref and off by default.
Fix is landed but behind a pref, dom.forms.submit.trusted_event_only
, in https://hg.mozilla.org/mozilla-central/rev/49f51744024c.
- Add Telemetry to see the usage of this.
- Maybe show some warnning on console saying this is deprecated.
Telemetry and warning on console are handled in bug 1691357.
Comment 82•4 years ago
|
||
I just submitted a comment to the Jenkins issue to let them know that a preference exists to turn on the feature. Lets see if that helps them to get the remaining issues solved.
Regarding Telemetry is there a place that can be checked to get the current count? As I read the telemetry probe will be around for 6 months and we are already 1/3 through that time. Thanks!
Assignee | ||
Comment 83•4 years ago
|
||
(In reply to Henrik Skupin (:whimboo) [⌚️UTC+1] from comment #82)
I just submitted a comment to the Jenkins issue to let them know that a preference exists to turn on the feature. Lets see if that helps them to get the remaining issues solved.
Thanks.
Regarding Telemetry is there a place that can be checked to get the current count? As I read the telemetry probe will be around for 6 months and we are already 1/3 through that time. Thanks!
Comment 84•4 years ago
|
||
A PR for Jenkins got merged end of last week that fixes the problem on their side. It has been tested with both configurations and so far it seems to be fine. Note that they don't want to rush a patch like that again into a LTS release, so having it properly fixed would mean a time around early June or at maximum late August.
Updated•3 years ago
|
Comment 85•3 years ago
|
||
Edgar, I wanted to give a quick update regarding Jenkins. Given my last comment the changes as pushed with the above PR are stable now and even reached the LTS release by June this year. As such Jenkins is no longer a blocker.
So next will be bug 1653625 then?
Updated•3 years ago
|
Assignee | ||
Comment 86•3 years ago
|
||
Thanks for the update! Yeah, I think we should fix bug 1653625 first and then we could try to enable the pref on Nightly again.
Comment 87•2 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:edgar, maybe it's time to close this bug?
For more information, please visit auto_nag documentation.
Comment 88•2 years ago
|
||
The severity field for this bug is relatively low, S3. However, the bug has 3 duplicates.
:edgar, could you consider increasing the bug severity?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•2 years ago
|
Comment 90•1 year ago
|
||
Summarize the timeline discussion from Bug 1653625 comment 45 - the webcompat risk of landing bug 1653625 in 115 (and will be in ESR 115) is thought to be small, while this bug 1370630 is the main risk, that we don't want to ship in 115 (as well as ESR) without longer baking time.
Comment 91•1 year ago
|
||
Now that Firefox 115 is on beta will the patches on this bug land soon so that there is enough baking time before the next to beta merge? Thanks.
Comment 92•1 year ago
|
||
(In reply to Henrik Skupin [:whimboo][⌚️UTC+2] from comment #91)
Now that Firefox 115 is on beta will the patches on this bug land soon so that there is enough baking time before the next to beta merge? Thanks.
Hey, no, I don't expect any timeline planned for this yet (but happy to have this being picked up when we have bandwidth); there are other tasks with higher priorities than this in the form area. I think S3/P3 is still the right rating, as commented here. Let me know if I misunderstood anything.
Updated•1 year ago
|
Assignee | ||
Comment 93•1 year ago
|
||
(I don't think this is a regression)
Description
•