* feat: Selective CSP header directive stripping from HTTPResponse
- uses `stripCspDirectives` config option
* feat: Selective CSP header directive permission from HTTPResponse
- uses `experimentalCspAllowList` config option
* Address Review Comments:
- Add i18n for `experimentalCspAllowList`
- Remove PR link in changelog
- Fix docs link in changelog
- Remove extra typedef additions
- Update validation error message and snapshot
- Fix middleware negated conditional
* chore: refactor driver test into system tests to get better test
coverage on experimentalCspAllowList options
* Address Review Comments:
- Remove legacyOption for `experimentalCspAllowList`
- Update App desc for `experimentalCspAllowList` to include "Content-Security-Policy-Report-Only"
- Modify CHANGELOG wording
- Specify “never” overrideLevel
- Remove unused validator (+2 squashed commits)
- Add "Addresses" note in CHANGELOG to satisfy automation
- Set `canUpdateDuringTestTime` to `false` to prevent confusion
* chore: Add `frame-src` and `child-src` to conditional CSP directives
* chore: Rename `isSubsetOf` to `isArrayIncludingAny`
* chore: fix CLI linting types
* chore: fix server unit tests
* chore: fix system tests within firefox and webkit
* chore: add form-action test
* chore: update system test snapshots
* chore: skip tests in webkit due to form-action flakiness
* chore: Move 'sandbox' and 'navigate-to' into `unsupportedCSPDirectives`
- Add additional system tests
- Update snapshots and unit test
* chore: update system test snapshots
* chore: fix system tests
* chore: do not run csp tests within firefox or webkit due to flake issues in CI
* chore: attempt to increase intercept delay to avoid race condition
* chore: update new snapshots with video defaults work
* chore: update changelog
---------
Co-authored-by: Bill Glesias <bglesias@gmail.com>
Co-authored-by: Matt Schile <mschile@cypress.io>
* chore: set up instrumentation and instrument middleware
* chore: set up console exporter
* chore: add parent span option to telemetry package
* chore: set up telemetry verbose mode
* chore: instrument the network proxy - part 1
* chore: make sure to terminate spans when request is aborted
* fix telemetry, create/end the request middle prior to sending the outbound request
* avoid telemetry ts build step, create entrypoint into packages/telemetry using TS conventions
* allow env vars to be "true" or "1"
* when creating child span, inherit their attributes directly from the parent
* create custom honeycomb exporter and span processor to log traces
* remove duplicate code that's already called in this.setRootContext
* cleanup
* more clean up
* update honeycomb network:proxy attributes, update console.log message
* yarn lock
* chore: remove performance API in middleware
* chore: end response on correct event
* recursively gather parent attributes on close
* added key and some clean up
* github action detector, move verbose into index, verbose log commands
* some tests
* clean up honeycomb exporter
* some renaming
* testing console trace link exporter
* Don't lose the top span when running in verbose.
* link to the right place for prod/dev
* changes to verbose to make sure it is read in the browser
* Apply suggestions from code review
* pass parent attributes between telemetry instances
* default to false
* 'fix' build issues
* src not dist
* add back on start span
* once more with feeling
* Fix some tests
* try this i guess
* revert auto build
* Apply suggestions from code review
Co-authored-by: Bill Glesias <bglesias@gmail.com>
* support failed commands
* Address PR comments
* Address PR Comments
* error handling
* handle all the errors
---------
Co-authored-by: Bill Glesias <bglesias@gmail.com>
Co-authored-by: Brian Mann <brian.mann86@gmail.com>
* begin setting log with the backend
* revert backend changes
* update interface now that we are only doing static log
* change existing logging logic to run in proxy layer instead
* add tests, fix small bugs
run ci
* fix tests
* add changelog
* run ci
* run ci
* fix cl
run ci
* Update cli/CHANGELOG.md
---------
Co-authored-by: Matt Henkes <mjhenkes@gmail.com>
* feat: set up experimentalUseDefaultDocumentDomain to disallow document.domain overwritting
* use default domain around experimentalUseDefaultDocumentDomain in main iframe and spec bridge iframes. Also adapt CORS policy to use same-origin if experimental flag is set
* run ci
* fix: add insertion of experimental flag where is was needed/missing
* chore: add system test to exercise experimental flag for expected behavior
* fix: fix issues with template updates to conform to squirrelly v7
* fix: update config tests to include new experimental flag
* run ci
* fix: trailing whitespace [run ci]
* chore: update snapshot
* run ci
* fix: update proxy unit tests to account for experimentalUseDefaultDocumentDomain
* run ci
* fix: Allow component tests with special characters in filepath (#25299)
feat: cut over experimental flag to take list of known problematic domains via string/glob pattern
run ci
chore: update system test and fix broken config
* fix: fix server unit and integration tests. integration tests should no longer use google to test against injection as we do not inject document.domain on google domains
* run ci
* run ci
* fix: server integration tests where google documents are expected to receive document.domain injection. Kept test same by changing URL
* run ci
* fix: update server test with mssing unupdated assertions
* run ci
* fix: turn off experimental flag by default while recommending sane defaults to users to configure
* run ci
* chore: fix typings [run ci]
* run ci
* chore: make experiment an e2e option only
* run ci
* chore: address comments in code review
* chore: rename experimentalUseDefaultDocumentDomain to experimentalSkipDomainInjection
* fix regression in shouldInjectionDocumentDomain utility function and add unit tests
* run ci
* chore: rename documentSuperDomainIfExists to superDomain [run ci]
* chore: address comments from code review
* chore: just pass opts through to policyForDomain
* run ci
Co-authored-by: Mike Plummer <mike-plummer@users.noreply.github.com>
* fix: change sweep interval from 1s -> 10s
* binaries
* update variable name
* use DI to make PreRequest class more testable
* revert code [skip ci]
* try tweaking test
Co-authored-by: Matt Henkes <mjhenkes@gmail.com>
* Revert "chore: remove document.domain usage for cross-origin testing (#24945)"
This reverts commit a3d3074e70.
* fix: set origin-agent-cluster=?0 for the spec bridge iframe
* re apply comment that was reverted in 1fa1246b5c
* Update packages/server/lib/routes-e2e.ts
Co-authored-by: Matt Schile <mschile@cypress.io>
* chore: update document.domain immutable target from chrome 106 -> chrome 109
Co-authored-by: Matt Schile <mschile@cypress.io>
* fix: on a canceled request, end waiting on an intercepted alias
* Add tests, fix ts
* skip firefox
* add doc
* try to fix flake
* delay?
* Use http proxy instead of cdp.
* 'fix' safari
* test updates
* PR updates
* test updates
* fix: throw error if the cy.origin origin is in the same superDomainOrigin as top.
* testing test tweaks
* 'fix' cypress in cypress tests
* Inject cross origin in google subdomains when not same-origin
* style tweaks
* Ensure strict same-origin check works for google.
* test fixes
* we don't need the location object when we just want the href.
* what is in a name?
* Address PR Comments
* chore: only inject when html is going to be rendered AND if a
content-type exists, make sure it contains html (which is valid for
xhtml and other mime types)
* rename isHTML is isNotJavascript to be a bit more accurate
* chore: remove isNotJavascript function for restContentTypeIsJavascript for experimental ast rewriter
* chore: enforce strict origin spec bridges
chore: refactor spec bridges to strictly enforce same origin
fix: wrap fullCrossOrigin injection around feature flag inside buffered response
* fix: do NOT set the initial cypress cookie inside the spec bridge as it is sending unecessary cookies
* chore: simplify the finding cypress in the injection code
* chore: change order in which callback fn is declared
* chore: add spec bridge performance issue to validation tests
* chore: add documentation to CDP,electron, and web extension for selected resource types
* chore: change nomenclature of X-Cypress-Request to X-Cypress-Is-XHR-Or-Fetch
* chore: remove no longer applicable comment for socket code
* chore: add comments to the resourceType/credential manager
* test: add correct cookie_behavior assertions before work on server
(currently failing)
* chore: add types needed in the socket and middlewares
* feat: add socket code to server-base (no tests here) to be used in request/response middleware
* feat: fill out the ExtractCypressMetadataHeaders implementation
* feat: add attach cookie logic to requests based on xhr/fetch requests
* feat: add attaching cookies to response logic w/ tests
* Update packages/proxy/lib/http/request-middleware.ts
Co-authored-by: Matt Henkes <mjhenkes@gmail.com>
Co-authored-by: Matt Henkes <mjhenkes@gmail.com>
* chore: add utility functions in proxy to be used in the near future in the request/response middleware(s)
* fix: add isAUTIframe check inside the shouldAttachAndSetCookies, move the siteContext info to the cookies package, simplify top-simulation util, and add better method documentation
* chore: refactor originPolicy to use superDomainOriginPolicy nomenclature and add sameSite/superDomainOrigin policy functions and make originMatch functions match fully same origin policy including sub domains
* chore: change doesAutMatchTopSuperOriginPolicy to doesAUTMatchTopSuperDomainOriginPolicy
* chore: rename originPolicy references to just be origin. Rename superDomainOriginPolicy to superDomainOrigin
* fix: remove duplicate origin keys and add check for remote.origin to return null
* chore: further rename variables to fit origin paradigm
* chore: remove latestActiveSuperDomainOrigin as it is no longer used
* fix: key order in consoleProps yielded test
* remove isAnticipatingCrossOriginResponse as it is no longer available
* chore: update documentation to urlMatchesSameSiteProps to show why the strictPortMatch is an option
* chore: refactor cors package to use a single parse function and update unit tests
* chore: refactor getOrigin to use url origin
* chore: update same-site documentation to now be dependent on cookies
* chore: update same-site policy to be schemeful-same-site policy as we consider protocol mismatches to be not same-site
* chore: remove cannot_visit_previous_origin error message as it is no longer used
* fix: wrap MaybeEndRequestWithBufferedResponse fullCrossOrigin check around feature flag
* test: add failing unit test for expected behavior
* fix: add regex to strip out dynamic setAttribute integrity setting when modifyObstructiveThirdPartyCode is enabled
* fix: properly replace integrity tags inside script resources when experimentalModifyObstructiveThirdPartyCode is true
* test: fix regex rewritter to handle a few other cases of rewriting
integrity. Now accurately applies to other broad strokes
* rename html integrity re to general as this replaces both html and javascript integrity tags in certain cases
* chore: rephrase comments in regex rewriter for MO third party code
* feat: add X-Cypress-Request header in extension
* feat: add X-Cypress-Request header in CDP
* feat: add X-Cypress-Request header in electron
* feat: add ExtractRequestedWithAndCredentialsIfApplicable middleware stub to remove the newly added x-cypress-request header
* chore: change defaultHeaders variable name to requestModifications to more accurately reflect usage
* chore: condense ExtractIsAUTFrameHeader and ExtractRequestedWithAndCredentialsIfApplicable into ExtractCypressMetadataHeaders middleware
* test: add anti assertion for x-cypress-request and remove setting request verbage (as it does nothing yet)
* Initial async changes
* Small fixes and test updates.
* updating tests
* Fixes for cookie login tests
* remove the onlys
* Most tests passing
* Fix driver tests?
* fix firefox test?
* fix unit tests
* fix tests??
* a better check
* fix integration tests
* minor cleanup
* Comment out tyler fix for 10.0 origin issue
* also fix integration tests
* remove fixmes
* Adding Retries for cookie actions. May break other error tests.
* Address (some) PR comments
* update to warn about cross origin command AUT in assertions
* Fix type errors
* Move document.cookie patch to injection
* Adding iframe patching.
* forward errors prior to attaching
* Add error message when using visit to visit a cross origin site with the onLoad or onBeforeLoad options.
* Attempt to fix test errors.
* more fixes, but not all
* use the origin policy
* Fix types
* more fixes
* consider chromeWebSecurity when checking if you can communicate with the AUT
* firefox
* prevent hangs if before unload happens after on load.
* Fix some ToDos
* code cleanup
* remove quotes
* Code review changes
* more cr changes
* fix tests possibly
* for realz this time
* roll back change
* Fix some flake
* Fix flakey xhr test hopefully.
* oops, forgot communicator changes. need those.
* modify error message to not lose the original error
* read config right derp
* simpler check
* no unused vars
* don't put config on window
* Make isRunnerAbleToCommunicateWithTheAUT a util function instead of attaching it to cypress.
* fix a race condition maybe
* clear document when window is cross origin... we'll see if this breaks anything.
* Retry if querying against the wrong AUT
* use timeout
* Don't print the retrying string unless you're retrying due to command aut origin mismatch
* try handling undefined document
* Code review updates. What could go wrong??
* Apply suggestions from code review
Co-authored-by: Bill Glesias <bglesias@gmail.com>
* minor fixes
* try aut location and move the async state collection.
* fix flake around the loading message, probably
* Fix system tests and some flake around redirect counts.
* Improve error handler prior to attaching.
* Code review suggestions
* use a generated ID when promisifying post message
* clean up promise helper
* skip xhr test until issue is resolved.
* Apply suggestions from code review
Co-authored-by: Chris Breiding <chrisbreiding@users.noreply.github.com>
* use state directly
* Apply suggestions from code review
Co-authored-by: Bill Glesias <bglesias@gmail.com>
* Update packages/driver/src/cypress/error_messages.ts
Co-authored-by: Chris Breiding <chrisbreiding@users.noreply.github.com>
Co-authored-by: Bill Glesias <bglesias@gmail.com>
Co-authored-by: Chris Breiding <chrisbreiding@users.noreply.github.com>
* test: refactor and add tests in the cors package
* fix: add areUrlsSameSite method to cookies package and fix
sameSiteContext calculation method and add tests
* fix: always use Set-Cookie optimistically whether or not we keep track of the cookie or not in the server side cookie jar
* chore: add failing unit tests for postpending cookies
* chore: add tough cookie integration tests to verify we append cookies appropriately to request header Cookie
* fix: do not duplicate cookies in request if existing in the cookie jar. Add additional tests to verify expected behavior
* test: add cookie behavior tests that document current expected behavior vs what spec behavior should/will be
* test: add misc tests that check for cookie order
* chore: update debug logs in request to discern cookies
* test: fix assertions in firefox as same-site cookies are actually set correctly
* fix test incorrect assertions. cookies currently exist in primary that are same-site regardless of browser
* skip SameSite=none test in firefox as we currently low insecure samesite none cookies in firefox
* chore: apply suggestions from code review
* chore: change expects to expect
* chore: add documentation for why we need an additional HTTPS port
* remove X-Set-Cookie fixmes
