Closed Bug 1399783 Opened 7 years ago Closed 5 years ago

jenkins website uses non-trusted submit event on Firefox

Categories

(Web Compatibility :: Site Reports, defect, P3)

Product:
Web Compatibility
Component:
Site Reports
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: stone, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: webcompat:contact-ready, Whiteboard: [contactready]) 

The jenkins website [1] uses non-trusted submit event on Firefox. It's found when trying to fix bug 1370630, which disable browser form element default actions for non-trusted events. Landing the patch will break jenkins website. Changing UA of Firefox to be the same as Chrome then it works (verified on an internal jenkins server because I don't have access to the public server)

Need some helps to contact the website author to fix it.

[1] https://jenkins.qa.ubuntu.com/login?from=%2F
[2] http://jenkins2.legacyserver.in/
See Also: → 1370630
Adam, can you help get in touch please?
Flags: needinfo?(astevenson)
Whiteboard: [contactready]
Adam: reaching out to the Jenkins project itself likely won't help as much as finding the owner of the Ubuntu QA Jenkins instance, and reaching out to them, directly.

Ming: what's the [2] footnote for?  It's not referenced in comment 0.
(In reply to Stephen Donner [:stephend] from comment #2)
> Adam: reaching out to the Jenkins project itself likely won't help as much
> as finding the owner of the Ubuntu QA Jenkins instance, and reaching out to
> them, directly.
> 
> Ming: what's the [2] footnote for?  It's not referenced in comment 0.

Oops. That's the internal jenkins server which I verified the problem.
(In reply to Stephen Donner [:stephend] from comment #2)
> Adam: reaching out to the Jenkins project itself likely won't help as much
> as finding the owner of the Ubuntu QA Jenkins instance, and reaching out to
> them, directly.

Is that because the Ubuntu QA instance is doing something custom? If vanilla Jenkins ships with the behavior we want to be in touch with both.
Flags: needinfo?(stephen.donner)
(In reply to Mike Taylor [:miketaylr] from comment #4)
> (In reply to Stephen Donner [:stephend] from comment #2)
> > Adam: reaching out to the Jenkins project itself likely won't help as much
> > as finding the owner of the Ubuntu QA Jenkins instance, and reaching out to
> > them, directly.
> 
> Is that because the Ubuntu QA instance is doing something custom? If vanilla
> Jenkins ships with the behavior we want to be in touch with both.

Jenkins is a web application, not a website (just for clarity).  Your best bet is to search for and file a JIRA issue here, if you can reproduce in a vanilla install of either/both LTS and Weekly releases: https://issues.jenkins-ci.org
Flags: needinfo?(stephen.donner)
And, sorry, I should've offered: after filing a JIRA issue, please mention it here, and I'll do my best to help shepherd it into the right hands/raise the right visibility (no promised on results, but I know some keys folks, there).
Flags: needinfo?(astevenson)
(In reply to Ming-Chou Shih [:stone] from comment #7)
> Created https://issues.jenkins-ci.org/browse/WEBSITE-454

That bug was closed as WONTFIX, which doesn't seem very useful. Stone, would you be able to ping that issue and ask where it should be opened instead?
Flags: needinfo?(stone123456)
Priority: -- → P3
See Also: → 1477286
(In reply to Mike Taylor [:miketaylr] (62 Regression Engineering Owner) from comment #8)
> > Created https://issues.jenkins-ci.org/browse/WEBSITE-454
> would you be able to ping that issue and ask where it should be opened instead?

I could not reproduce this issue in Weekly releases, but I still could reproduce it in LTS release. I have ping that issue and ask whether we should repoen it.
Flags: needinfo?(stone123456) → needinfo?(miket)
Blocks: 1370630
See Also: 1370630
Thanks Edgar.
Flags: needinfo?(miket)
(In reply to Edgar Chen [:edgar] from comment #9)
> (In reply to Mike Taylor [:miketaylr] (62 Regression Engineering Owner) from
> comment #8)
> > > Created https://issues.jenkins-ci.org/browse/WEBSITE-454
> > would you be able to ping that issue and ask where it should be opened instead?
> 
> I could not reproduce this issue in Weekly releases, but I still could
> reproduce it in LTS release. I have ping that issue and ask whether we
> should repoen it.

Is it possible to ping the Jenkins again for this? Thank you.
Flags: needinfo?(miket)
At least I asked on the JIRA issue again. If we cannot expect a backport of the fix to the current LTS, it would be nice to know when the next major LTS is about to get released.
Adam, can you help us find a good contact for Jenkins?
Flags: needinfo?(miket) → needinfo?(astevenson)
(In reply to Mike Taylor [:miketaylr] (62 Regression Engineering Owner) from comment #13)
> Adam, can you help us find a good contact for Jenkins?

Please always check the JIRA issue first. We had some further conversation by last week, and as it looks like some more submit forms are affected beside the login page. I have just updated the page after the discussion was stalled in the last 6 days.
URL: https://issues.jenkins-ci.org/browse/...
OK, it's not clear to me what the ask is then. Sounds like y'all have this under control?
Flags: needinfo?(astevenson)
A contact who could drive this would still be great.
Ah, understood. I think I mis-parsed your earlier comment. 

Adam, can you help us dig up someone from Jenkins?
Flags: needinfo?(astevenson)
Reaching out to Jenkins to hopefully get a contact to help. Apologies for the delay.
Flags: needinfo?(astevenson)
They created a pull request for this:
https://github.com/jenkinsci/jenkins/pull/3689

They mention in the PR:

"Once the build passes, we should have a .war we can ask our friends at Mozilla to take a crack at testing with us.

There is now a built artifact which can be used for testing here:
https://ci.jenkins.io/job/Core/job/jenkins/job/PR-3689/2/artifact/org/jenkins-ci/main/jenkins-war/2.147-rc27437.1590be3ff083/jenkins-war-2.147-rc27437.1590be3ff083.war"

Henrik, is this something you can help with?
Flags: needinfo?(hskupin)
Sorry, but I don't know what to test. My aim is only to get our patch landed. As such I asked on the Jenkins issue if they could test, and also provided a link to the nightly builds of Firefox which include the patch so that they don't have to build.

Adam, it would be good if you could still follow-up on other upcoming questions. Thanks.
Flags: needinfo?(hskupin)
No follow-up from Adam so far, so I will just do it now.

Please note that the underlying behavior in Jenkins has been changed and the fix for us is in the 2.148 release of Jenkins from October 21st. Is there anyone who would have a chance to test this Jenkins release with Firefox and the patch on bug 1370630 applied? 

https://hg.mozilla.org/mozilla-central/rev/367b6f947f87 has the link to the builds of Firefox which have the changes included.

Dave, or Stephen, maybe you are still running latest (no LTS) releases of Jenkins for some of our CI systems?
(In reply to Henrik Skupin (:whimboo) from comment #21)
> Dave, or Stephen, maybe you are still running latest (no LTS) releases of
> Jenkins for some of our CI systems?

I should also needinfo both of them...
Flags: needinfo?(stephen.donner)
Flags: needinfo?(dave.hunt)
I'm not running latest anywhere, but I can spin up a docker image and test this. Leaving the needinfo, will report back shortly.
I'm unable to reproduce the issue using latest Jenkins LTS (2.138.2) and the macOS build from https://archive.mozilla.org/pub/firefox/nightly/2017/07/2017-07-07-10-01-52-mozilla-central/. I understand that due to the login page refactoring that is no longer a suitable reproduction case, however I also tried navigating to the main Jenkins configuration and clicking the Save button. It seems to work every time for me.
Flags: needinfo?(stephen.donner)
Flags: needinfo?(hskupin)
Flags: needinfo?(dave.hunt)
That is great to hear, Dave! Yes, so far that should be everything which needs to be checked. If saving the settings works, then it should be fine. Thanks a lot for testing it.

Now we have to wait for the next LTS release of Jenkins. I will ask again on the github issue for nomination so that it won't be forgotten.
Flags: needinfo?(hskupin)
Sorry for not being more clear. I cannot replicate this on a version that I believe should demonstrate the issue, and therefore I'm unable to confirm if the fix is working.
Flags: needinfo?(hskupin)
I see. Meanwhile they had to even backout the fix because it caused a regression in Jenkins. Another fix is proposed for the yui library in use. Details see https://issues.jenkins-ci.org/browse/JENKINS-53462?focusedCommentId=353794&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-353794

Adam, can you or someone else who knows the details for this bug please follow-up and help with testing?
Flags: needinfo?(hskupin) → needinfo?(astevenson)
Henrik, yes we will follow up. Thanks for all your help. :)

Leaving my NI for now.
Jenkins folks are really awaiting the feedback. So can you please follow-up on it? Also see https://github.com/jenkinsci/jenkins/pull/3761#issuecomment-440828721
I think the biggest hurdle here is we don't have any experience standing up jenkins servers to test here. I asked if there's any publicly available staging environment where we can test.

https://github.com/jenkinsci/jenkins/pull/3761#issuecomment-448735692
Flags: needinfo?(astevenson)
Product: Tech Evangelism → Web Compatibility

I have seem to have replicated the Jenkins v2.60.3 issue on the latest version of Nightly, 68.0a1 (2019-03-21) (Windows 10)
This (as far as I could tell) was always working up until the v68 bump of nightly.
This also seems to only effect the installation of older versions of jenkins, as when using a docker image of the latest LTS I was able to login with Nightly.

Tested/Replicated the bug with the following:

  • My main profile with a few plugins (Cannot Login)
  • A completely blank profile (Cannot Login)

Tested / cannot replicate bug:

  • Firefox Mainline v66.0 (Windows 10)
  • Chrome v73.0.3683.86

Jenkins Versions Tested:

  • 2.60.3 (Docker "Latest")

Steps for replication on older jenkins versions:

  1. Install Docker
  2. Follow: https://wiki.jenkins.io/display/JENKINS/Installing+Jenkins+with+Docker its basically:
    2.1 To get jenkins v2.60.3 run: (This is the effected version)
    2.1.1 mkdir $PWD/jenkins && docker run -d -p 49001:8080 -v $PWD/jenkins:/var/jenkins_home:z -t jenkins
    2.2 to get jenkins v2.164.1 run: (This version is not effected)
    2.2.1 mkdir $PWD/jenkins && docker run -d -p 49001:8080 -v $PWD/jenkins:/var/jenkins_home:z -t jenkins/jenkins:lts
    2.3 Warning: If running above command it listens on all open interfaces, if not behind a firewall be careful with step 7.
  3. Load up Nightly with http://localhost:49001 (assuming local docker)
  4. On your host cat secrets/initialAdminPassword for the "default jenkins password" and enter it in jenkins
  5. Select "Install default plugins"
  6. Wait until jenkins is done installing the plugins,
    5.1 If it does not install certain plugins or fails don't worry, as its a jenkins problem not a plugin problem (as far as I can tell)
  7. Type in a Username and password and email, (dont worry can be "admin","admin","admin@example.com")
  8. You will now be automatically logged in as the admin user. (And now have a "fully setup jenkins instance"
  9. Logout
  10. Try to log back in with your "admin:admin"
  11. You are now Not logged in

Notes:

When clicking the login button it seems like the DOM is changing but there is no network activity when looking at the developer console

As noted in https://issues.jenkins-ci.org/browse/JENKINS-53462 Jenkins will ship a fix with the upcoming 2.173 release. If it is stable (and won't be backed out again), and land for LTS we can try to fix bug 1370630 again.

See bug 1547409. Moving webcompat whiteboard tags to keywords.

Keywords: webcompat:contact-ready

So the shipped fix by Jenkins didn't affect any user so far. And it got actually already fixed in the v2.164.3 LTS, which means no more waiting.

Beside that we also already got bug 1370630 landed, which is a great milestone.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.