Bug Submission Assistant : same origin policy violation fixed

All versions of the Bug Submission Assistant had a same origin policy problem preventing user feedback. It was fixed by asking for a server side reverse proxy definition and a variable that can be controled by the enclosing frame.

diagnostic and workaround

The Bug Submission Assistant form may contain an attachment to upload. The submission of the bug entry form can only be done using a hidden iframe instead of a regular ajax call, because the content of type=”file” input element cannot be retrieved by the javascript code. The alternative would be to submit a regular form, but the result would be to expose the bugzilla web interface.
In the last step of the Bug Submission Assistant, the bugzilla is created by submitting a form within an hidden iframe. The iframe content is then extracted to find the bug number of the newly submitted bug and display a confirmation to the user, with a link to the corresponding bugzilla page. If an error occurs, the message will be extracted from the iframe and displayed at the top of the Bug Submission Assistant page.
Although this logic works when the Bug Submission Assistant is used from the bugassistant.libreoffice.org virtual host, it failed when including it in an iframe from libreoffice.org. The bug report was created but the iframe was left empty and the Bug Submission Assistant was unable to find the bug report number an error message. As a consequence, the user had no feedback and was confused. A placeholder with a link to bugzilla replaced the Bug Submission Assistant while fixing the problem to avoid confusing users.

history

In the first version of Bug Submission Assistant, the bug was submitted using an ajax call and the attachment could only be added as a second step. Testing was done using the bugassistant virtual host and when it was added as an iframe the tests were limited to submitting the bug and not to attach the image. Reverting the code to the last version including a two step submission showed that the feedback for the attachment failed when done in an iframe. The diagnostic took a few hours because it was assumed the problem did not show until recently. When it was proved that it was only amplified by the last changed, the diagnostic was logical.
The problem was first reported shortly after an upgrade of bugs.freedesktop.org to bugzilla version 4 and it was first assumed that it was the cause of the breakage. However, after running a few checks it became clear that the bugzilla version 4 was using the exact same fields with the same semantic, providing enough backward compatibility for the Bug Submission Assistant to run without error. Given the number of tools created on top of bugzilla, it is unlikely that it will ever change. It would, however, be an interesting development to use the API introduced in bugzilla version 3 to allow the Bug Submission Assistant to interact with the server in a more cannonical way. The only obstacle to using only the API is the need for an iframe to handle file uploads.

server side solution

The proposed reverse proxy definition introduces the required URL, allowing the Bug Submission Assistant to access bugzilla without violating the same origin policy, even when included in an iframe.
Another approach to the problem would be to set the document.domain variable to relax the same origin policy because bugassistant.libreoffice.org is in the same domain as libreoffice.org. Unfortunately this requires that all documents loaded in each iframe set it to:

document.domain = 'libreoffice.org';

which bugzilla cannot do.
Yet another approach would be to reverse the inclusion logic and redirect the libreoffice.org page to a bugassistant page that acts as a reverse proxy to both libreoffice.org and bugs.freedesktop.org. This would be possible because the URLs of libreoffice.org do not conflict with the URLs of bugs.freedesktop.org. But that would require a lot more configuration because each bugs.freedesktop.org script used by the Bug Submission Assistant would need to be explicitly listed in the reverse proxy configuration and more maintenance.

client side solution

The Bug Submission Assistant must be aware of a URL to query bugzilla that has the same origin than the enclosing iframe it is in, if any. The

$.bug.url = '';

variable is introduced in bug.js and defaults to the empty string, which was the previous behavior, assuming that it runs on top of a reverse proxy to bugzilla on the same domain and no iframe are involved. When initialized, the Bug Submission Assistant checks if it is in an iframe and uses the bugzilla_url variable content to set the $.bug.url variable, if any.

        frame: function() {
            if($.bug.window != $.bug.window.top && $.bug.window.parent.bugzilla_url !== undefined) {
                $.bug.url = $.bug.window.parent.bugzilla_url;
            }
        },

The https://libreoffice.org/get-help/bug/ page has been modified to define a bugzilla_url variable that the Bug Submission Assistant will pick up.

This entry was posted in libreoffice. Bookmark the permalink.

4 Responses to Bug Submission Assistant : same origin policy violation fixed

  1. Mathias says:

    I was surprised, when going to https://bugassistant.libreoffice.org/query.cgi , to be able to search for D-BUS issues. Should you not have hidden the Project field and forced it to LibreOffice ?
    The page is named bugassistant.libreoffice.org, after all

    • Loic Dachary says:

      It is surprising indeed. Note, however, that https://bugassistant.libreoffice.org/ is hidden to the casual user who only interacts with the Bug Submission Assistant. If the expert user explores what is under the hood, (s)he will find this URL and hopefully understand it is a reverse proxy to all of bugs.freedesktop.org. My focus was to make things clear and straightforward for the casual user and I did not pay much attention to the expert user.

  2. Mebug says:

    OMG -huge effort to go around the problems when all you need is build-in in Bugzilla itself. Starting from template customization (example simple page is even live https://bugs.freedesktop.org/enter_bug.cgi?product=LibreOffice&format=guided), Bugzilla API, or Bugzilla Webservices (JSON-RPC, XML-RPC).
    This split also makes that users are not aware that BSA is in fact bugs.freedesktop.org frontend and to see all their reports, set their preferences for bugmail, search, tag bugs etc. they must login to Bugzilla as a separate system (seems for some “Please login using your bugzilla account” message is not enough). Delivering a bug tracker from 3 different addresses is IMHO also not a best practice at all (bugassistant.libreoffice.org, bugs.freedesktop.org, http://www.libreoffice.org/bugzilla/). Also a lot of users are replying by e-mail gateway of Bugzilla which is another problem.

    Interesting links:
    https://bugs.freedesktop.org/docs/en/html/cust-templates.html
    http://www.bugzilla.org/docs/4.2/en/html/api/
    bugzilla.mozilla.org custom guided bug entry extension – http://bzr.mozilla.org/bmo/4.2/files/head:/extensions/GuidedBugEntry/ (and all additional modifications and extensions available at this repo)

    • Loic Dachary says:

      Hi,
      At the time the APIs were not available and indeed it makes things a lot more complicated :-) I suggest you get in touch with the current maintainer to explain how the process could be simplified.
      Cheers

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>