chore: remove document.domain usage for cross-origin testing (#24945)

packages/driver/src/cypress.ts

@@ -180,9 +180,10 @@ class $Cypress {
   configure (config: Record<string, any> = {}) {
     const domainName = config.remote ? config.remote.domainName : undefined
 
-    // set domainName but allow us to turn
-    // off this feature in testing
-    if (domainName && config.testingType === 'e2e') {
+    // set domainName but allow us to turn off this feature in testing. not
+    // needed for cross-origin spec bridge, since it is strictly used
+    // same-origin
+    if (domainName && !this.isCrossOriginSpecBridge && config.testingType === 'e2e') {
       document.domain = domainName
     }
 

packages/network/lib/cors.ts

@@ -227,11 +227,14 @@ export function getOrigin (url: string) {
 }
 
 /**
- * We use the super domain origin in the driver to determine whether or not we need to reload/interact with the AUT, and
- * currently in the spec bridge to interact with the AUT frame, which uses document.domain set to the super domain
+ * Returns the super-domain of a URL
+ *
+ * The primary driver uses the super-domain origin to allow tests to
+ * navigate between subdomains of the same super-domain by setting
+ * document.domain to the super-domain
  * @param url - the full absolute url
- * @returns the super domain origin -
- * ex: http://www.example.com:8081/my/path -> http://example.com:8081/my/path
+ * @returns the super domain origin
+ * ex: http://www.example.com:8081/my/path -> http://example.com:8081
  */
 export function getSuperDomainOrigin (url: string) {
   // @ts-ignore

packages/proxy/lib/http/util/inject.ts

@@ -28,13 +28,11 @@ export function full (domain) {
   })
 }
 
-export async function fullCrossOrigin (domain, options: FullCrossOriginOpts) {
+export async function fullCrossOrigin (options: FullCrossOriginOpts) {
   const contents = await getRunnerCrossOriginInjectionContents()
 
   return oneLine`
     <script type='text/javascript'>
-      document.domain = '${domain}';
-
       (function (cypressConfig) {
         ${contents}
       }(${JSON.stringify(options)}));

packages/proxy/lib/http/util/rewriter.ts

@@ -42,7 +42,7 @@ function getHtmlToInject (opts: InjectionOpts & SecurityOpts) {
     case 'full':
       return inject.full(domainName)
     case 'fullCrossOrigin':
-      return inject.fullCrossOrigin(domainName, {
+      return inject.fullCrossOrigin({
         modifyObstructiveThirdPartyCode,
         modifyObstructiveCode,
         simulatedCookies,

packages/server/lib/html/spec-bridge-iframe.html

@@ -5,9 +5,6 @@
     <title>{{title}}</title>
   </head>
   <body>
-    <script type="text/javascript">
-      document.domain = '{{domain}}';
-    </script>
     <script src="/{{namespace}}/runner/cypress_cross_origin_runner.js"></script>
   </body>
 </html>

packages/server/test/integration/http_requests_spec.js

@@ -2651,7 +2651,7 @@ describe('Routes', () => {
         })
       })
 
-      it('injects document.domain on AUT iframe requests that do not match current superDomain', function () {
+      it('does not inject document.domain on AUT iframe requests that do not match current superDomain', function () {
         nock('http://www.foobar.com')
         .get('/')
         .reply(200, '<html><head></head><body>hi</body></html>', {
@@ -2671,7 +2671,7 @@ describe('Routes', () => {
 
           const body = cleanResponseBody(res.body)
 
-          expect(body).to.include(`<html><head> <script type='text/javascript'> document.domain = 'foobar.com';`)
+          expect(body).not.to.include('document.domain =')
         })
       })