Jenkins XSS protection interferes with API access (leads to 403)

Latest info from Deepti is that even using account/password backed by Jenkins user database, there's still 403.

Next testcase idea: run it with API keu auth on android-build and see how it goes.

Ok,

./mangle-jobs --user=pfalcon build-timeout-set.mangle --really

worked well (changed jobs as expected) on android-build. So, problem is not in Jenkins, but in some peculiarities and/or configuration of ci.linaro.org.

After investigation, I found that 403 Forbidden response is accompanied by:

Jun 4, 2012 10:59:52 AM hudson.security.csrf.CrumbFilter doFilter
WARNING: No valid crumb was included in request for /jenkins/job/precise-armhf-beagleboard/lastBuild/configSubmit. Returning 403.

And traced that to "Prevent Cross Site Request Forgery exploits" being activated on ci.linaro.org (and not on android-build). If it's disabled, mangle-jobs script works as expected. There's also "Enable proxy compatibility" sub-option, but activating it doesn't change the behavior. I.e., to workaround the issue, "Prevent Cross Site Request Forgery exploits" should be turned off while script is being run.

Now, for more sustained solution, further research should be made - for example, it's apparently the case that XSS protection token should not be required for API access, so requiring it is Jenkins bug, but that should be checked yet. Then, we should check if it still would be easy to add token to API calls as a workaround, or if it makes sense to turn off that option permanently.

See

http://issues.hudson-ci.org/browse/HUDSON-5241
http://issues.hudson-ci.org/browse/HUDSON-6072
https://issues.jenkins-ci.org/browse/JENKINS-12875

for examples where similar issue hit other parts of Jenkins functionality.