* chore: update tough-cookie from 4.0.0 to 4.1.3. requires v8 snapshot update
* fix: tough-cookie as of 4.1 doesn't default sameSite undefined to none any longer. However, we want to set sameSite === undefined to lax as the default as this is the case in every standard browser, except firefox. We did this previously and this is behavior we want to continue to preserve, even for security reasons
* chore: update v8 snapshots
* fix issue with global toString
* chore: run ci
* chore: update @cypress/request to 2.88.22 and @cypress/request-promise to 4.2.7 [run ci]
* remove jsdom and start-server-and-test
* revert @cypress/request back to 2.88.12
* update changelog entry
* remove uneeded deps
---------
Co-authored-by: Bill Glesias <bglesias@gmail.com>
Co-authored-by: Ryan Manuel <ryanm@cypress.io>
* feat: Selective CSP header directive stripping from HTTPResponse
- uses `stripCspDirectives` config option
* feat: Selective CSP header directive permission from HTTPResponse
- uses `experimentalCspAllowList` config option
* Address Review Comments:
- Add i18n for `experimentalCspAllowList`
- Remove PR link in changelog
- Fix docs link in changelog
- Remove extra typedef additions
- Update validation error message and snapshot
- Fix middleware negated conditional
* chore: refactor driver test into system tests to get better test
coverage on experimentalCspAllowList options
* Address Review Comments:
- Remove legacyOption for `experimentalCspAllowList`
- Update App desc for `experimentalCspAllowList` to include "Content-Security-Policy-Report-Only"
- Modify CHANGELOG wording
- Specify “never” overrideLevel
- Remove unused validator (+2 squashed commits)
- Add "Addresses" note in CHANGELOG to satisfy automation
- Set `canUpdateDuringTestTime` to `false` to prevent confusion
* chore: Add `frame-src` and `child-src` to conditional CSP directives
* chore: Rename `isSubsetOf` to `isArrayIncludingAny`
* chore: fix CLI linting types
* chore: fix server unit tests
* chore: fix system tests within firefox and webkit
* chore: add form-action test
* chore: update system test snapshots
* chore: skip tests in webkit due to form-action flakiness
* chore: Move 'sandbox' and 'navigate-to' into `unsupportedCSPDirectives`
- Add additional system tests
- Update snapshots and unit test
* chore: update system test snapshots
* chore: fix system tests
* chore: do not run csp tests within firefox or webkit due to flake issues in CI
* chore: attempt to increase intercept delay to avoid race condition
* chore: update new snapshots with video defaults work
* chore: update changelog
---------
Co-authored-by: Bill Glesias <bglesias@gmail.com>
Co-authored-by: Matt Schile <mschile@cypress.io>
* chore: set up instrumentation and instrument middleware
* chore: set up console exporter
* chore: add parent span option to telemetry package
* chore: set up telemetry verbose mode
* chore: instrument the network proxy - part 1
* chore: make sure to terminate spans when request is aborted
* fix telemetry, create/end the request middle prior to sending the outbound request
* avoid telemetry ts build step, create entrypoint into packages/telemetry using TS conventions
* allow env vars to be "true" or "1"
* when creating child span, inherit their attributes directly from the parent
* create custom honeycomb exporter and span processor to log traces
* remove duplicate code that's already called in this.setRootContext
* cleanup
* more clean up
* update honeycomb network:proxy attributes, update console.log message
* yarn lock
* chore: remove performance API in middleware
* chore: end response on correct event
* recursively gather parent attributes on close
* added key and some clean up
* github action detector, move verbose into index, verbose log commands
* some tests
* clean up honeycomb exporter
* some renaming
* testing console trace link exporter
* Don't lose the top span when running in verbose.
* link to the right place for prod/dev
* changes to verbose to make sure it is read in the browser
* Apply suggestions from code review
* pass parent attributes between telemetry instances
* default to false
* 'fix' build issues
* src not dist
* add back on start span
* once more with feeling
* Fix some tests
* try this i guess
* revert auto build
* Apply suggestions from code review
Co-authored-by: Bill Glesias <bglesias@gmail.com>
* support failed commands
* Address PR comments
* Address PR Comments
* error handling
* handle all the errors
---------
Co-authored-by: Bill Glesias <bglesias@gmail.com>
Co-authored-by: Brian Mann <brian.mann86@gmail.com>
* begin setting log with the backend
* revert backend changes
* update interface now that we are only doing static log
* change existing logging logic to run in proxy layer instead
* add tests, fix small bugs
run ci
* fix tests
* add changelog
* run ci
* run ci
* fix cl
run ci
* Update cli/CHANGELOG.md
---------
Co-authored-by: Matt Henkes <mjhenkes@gmail.com>
* feat: set up experimentalUseDefaultDocumentDomain to disallow document.domain overwritting
* use default domain around experimentalUseDefaultDocumentDomain in main iframe and spec bridge iframes. Also adapt CORS policy to use same-origin if experimental flag is set
* run ci
* fix: add insertion of experimental flag where is was needed/missing
* chore: add system test to exercise experimental flag for expected behavior
* fix: fix issues with template updates to conform to squirrelly v7
* fix: update config tests to include new experimental flag
* run ci
* fix: trailing whitespace [run ci]
* chore: update snapshot
* run ci
* fix: update proxy unit tests to account for experimentalUseDefaultDocumentDomain
* run ci
* fix: Allow component tests with special characters in filepath (#25299)
feat: cut over experimental flag to take list of known problematic domains via string/glob pattern
run ci
chore: update system test and fix broken config
* fix: fix server unit and integration tests. integration tests should no longer use google to test against injection as we do not inject document.domain on google domains
* run ci
* run ci
* fix: server integration tests where google documents are expected to receive document.domain injection. Kept test same by changing URL
* run ci
* fix: update server test with mssing unupdated assertions
* run ci
* fix: turn off experimental flag by default while recommending sane defaults to users to configure
* run ci
* chore: fix typings [run ci]
* run ci
* chore: make experiment an e2e option only
* run ci
* chore: address comments in code review
* chore: rename experimentalUseDefaultDocumentDomain to experimentalSkipDomainInjection
* fix regression in shouldInjectionDocumentDomain utility function and add unit tests
* run ci
* chore: rename documentSuperDomainIfExists to superDomain [run ci]
* chore: address comments from code review
* chore: just pass opts through to policyForDomain
* run ci
Co-authored-by: Mike Plummer <mike-plummer@users.noreply.github.com>
* fix: change sweep interval from 1s -> 10s
* binaries
* update variable name
* use DI to make PreRequest class more testable
* revert code [skip ci]
* try tweaking test
Co-authored-by: Matt Henkes <mjhenkes@gmail.com>
* Revert "chore: remove document.domain usage for cross-origin testing (#24945)"
This reverts commit a3d3074e70.
* fix: set origin-agent-cluster=?0 for the spec bridge iframe
* re apply comment that was reverted in 1fa1246b5c
* Update packages/server/lib/routes-e2e.ts
Co-authored-by: Matt Schile <mschile@cypress.io>
* chore: update document.domain immutable target from chrome 106 -> chrome 109
Co-authored-by: Matt Schile <mschile@cypress.io>
* fix: Improve TypeScript support for custom queries
* Typo fix
* Fix TS more
* Move 'ensures' off of cy and onto Cypress
* Type fixes
* One missed replacement
* Test fixes
* Properly pass in to ensureRunnable
* Add .eslintignores to quiet down warnings
* Review feedback
* Update cli/types/cypress.d.ts
Co-authored-by: Emily Rohrbough <emilyrohrbough@users.noreply.github.com>
Co-authored-by: Emily Rohrbough <emilyrohrbough@users.noreply.github.com>
* fix: on a canceled request, end waiting on an intercepted alias
* Add tests, fix ts
* skip firefox
* add doc
* try to fix flake
* delay?
* Use http proxy instead of cdp.
* 'fix' safari
* test updates
* PR updates
* test updates
* fix: throw error if the cy.origin origin is in the same superDomainOrigin as top.
* testing test tweaks
* 'fix' cypress in cypress tests
* Inject cross origin in google subdomains when not same-origin
* style tweaks
* Ensure strict same-origin check works for google.
* test fixes
* we don't need the location object when we just want the href.
* what is in a name?
* Address PR Comments
* chore: only inject when html is going to be rendered AND if a
content-type exists, make sure it contains html (which is valid for
xhtml and other mime types)
* rename isHTML is isNotJavascript to be a bit more accurate
* chore: remove isNotJavascript function for restContentTypeIsJavascript for experimental ast rewriter
* chore: enforce strict origin spec bridges
chore: refactor spec bridges to strictly enforce same origin
fix: wrap fullCrossOrigin injection around feature flag inside buffered response
* fix: do NOT set the initial cypress cookie inside the spec bridge as it is sending unecessary cookies
* chore: simplify the finding cypress in the injection code
* chore: change order in which callback fn is declared
* chore: add spec bridge performance issue to validation tests
* chore: add documentation to CDP,electron, and web extension for selected resource types
* chore: change nomenclature of X-Cypress-Request to X-Cypress-Is-XHR-Or-Fetch
* chore: remove no longer applicable comment for socket code
* chore: add comments to the resourceType/credential manager
* test: add correct cookie_behavior assertions before work on server
(currently failing)
* chore: add types needed in the socket and middlewares
* feat: add socket code to server-base (no tests here) to be used in request/response middleware
* feat: fill out the ExtractCypressMetadataHeaders implementation
* feat: add attach cookie logic to requests based on xhr/fetch requests
* feat: add attaching cookies to response logic w/ tests
* Update packages/proxy/lib/http/request-middleware.ts
Co-authored-by: Matt Henkes <mjhenkes@gmail.com>
Co-authored-by: Matt Henkes <mjhenkes@gmail.com>
* chore: add utility functions in proxy to be used in the near future in the request/response middleware(s)
* fix: add isAUTIframe check inside the shouldAttachAndSetCookies, move the siteContext info to the cookies package, simplify top-simulation util, and add better method documentation
* chore: refactor originPolicy to use superDomainOriginPolicy nomenclature and add sameSite/superDomainOrigin policy functions and make originMatch functions match fully same origin policy including sub domains
* chore: change doesAutMatchTopSuperOriginPolicy to doesAUTMatchTopSuperDomainOriginPolicy
* chore: rename originPolicy references to just be origin. Rename superDomainOriginPolicy to superDomainOrigin
* fix: remove duplicate origin keys and add check for remote.origin to return null
* chore: further rename variables to fit origin paradigm
* chore: remove latestActiveSuperDomainOrigin as it is no longer used
* fix: key order in consoleProps yielded test
* remove isAnticipatingCrossOriginResponse as it is no longer available
* chore: update documentation to urlMatchesSameSiteProps to show why the strictPortMatch is an option
* chore: refactor cors package to use a single parse function and update unit tests
* chore: refactor getOrigin to use url origin
* chore: update same-site documentation to now be dependent on cookies
* chore: update same-site policy to be schemeful-same-site policy as we consider protocol mismatches to be not same-site
* chore: remove cannot_visit_previous_origin error message as it is no longer used
* fix: wrap MaybeEndRequestWithBufferedResponse fullCrossOrigin check around feature flag
* test: add failing unit test for expected behavior
* fix: add regex to strip out dynamic setAttribute integrity setting when modifyObstructiveThirdPartyCode is enabled
* fix: properly replace integrity tags inside script resources when experimentalModifyObstructiveThirdPartyCode is true
* test: fix regex rewritter to handle a few other cases of rewriting
integrity. Now accurately applies to other broad strokes
* rename html integrity re to general as this replaces both html and javascript integrity tags in certain cases
* chore: rephrase comments in regex rewriter for MO third party code
