* chore: update darwin v8 snapshot
* BREAKING CHANGE: set video to false by default (system tests need updating).
* Update cli/CHANGELOG.md
Co-authored-by: Emily Rohrbough <emilyrohrbough@users.noreply.github.com>
* chore: update type comments
* chore: update protocol snapshot
* run ci
* run ci
* set video to true for chrome browser crash test
* chore: put in workaround for failing system test spec to be fixed in 27062
* chore: allow retries on actionability tests to be at least one retry as the CI tests run faster without video on
* chore: fix flaky navigation test where done is called multiple times almsot always, but sometimes throws an error
---------
Co-authored-by: Emily Rohrbough <emilyrohrbough@users.noreply.github.com>
* feat: Selective CSP header directive stripping from HTTPResponse
- uses `stripCspDirectives` config option
* feat: Selective CSP header directive permission from HTTPResponse
- uses `experimentalCspAllowList` config option
* Address Review Comments:
- Add i18n for `experimentalCspAllowList`
- Remove PR link in changelog
- Fix docs link in changelog
- Remove extra typedef additions
- Update validation error message and snapshot
- Fix middleware negated conditional
* chore: refactor driver test into system tests to get better test
coverage on experimentalCspAllowList options
* Address Review Comments:
- Remove legacyOption for `experimentalCspAllowList`
- Update App desc for `experimentalCspAllowList` to include "Content-Security-Policy-Report-Only"
- Modify CHANGELOG wording
- Specify “never” overrideLevel
- Remove unused validator (+2 squashed commits)
- Add "Addresses" note in CHANGELOG to satisfy automation
- Set `canUpdateDuringTestTime` to `false` to prevent confusion
* chore: Add `frame-src` and `child-src` to conditional CSP directives
* chore: Rename `isSubsetOf` to `isArrayIncludingAny`
* chore: fix CLI linting types
* chore: fix server unit tests
* chore: fix system tests within firefox and webkit
* chore: add form-action test
* chore: update system test snapshots
* chore: skip tests in webkit due to form-action flakiness
* chore: Move 'sandbox' and 'navigate-to' into `unsupportedCSPDirectives`
- Add additional system tests
- Update snapshots and unit test
* chore: update system test snapshots
* chore: fix system tests
* chore: do not run csp tests within firefox or webkit due to flake issues in CI
* chore: attempt to increase intercept delay to avoid race condition
* chore: update new snapshots with video defaults work
* chore: update changelog
---------
Co-authored-by: Bill Glesias <bglesias@gmail.com>
Co-authored-by: Matt Schile <mschile@cypress.io>
* feat: set up experimentalUseDefaultDocumentDomain to disallow document.domain overwritting
* use default domain around experimentalUseDefaultDocumentDomain in main iframe and spec bridge iframes. Also adapt CORS policy to use same-origin if experimental flag is set
* run ci
* fix: add insertion of experimental flag where is was needed/missing
* chore: add system test to exercise experimental flag for expected behavior
* fix: fix issues with template updates to conform to squirrelly v7
* fix: update config tests to include new experimental flag
* run ci
* fix: trailing whitespace [run ci]
* chore: update snapshot
* run ci
* fix: update proxy unit tests to account for experimentalUseDefaultDocumentDomain
* run ci
* fix: Allow component tests with special characters in filepath (#25299)
feat: cut over experimental flag to take list of known problematic domains via string/glob pattern
run ci
chore: update system test and fix broken config
* fix: fix server unit and integration tests. integration tests should no longer use google to test against injection as we do not inject document.domain on google domains
* run ci
* run ci
* fix: server integration tests where google documents are expected to receive document.domain injection. Kept test same by changing URL
* run ci
* fix: update server test with mssing unupdated assertions
* run ci
* fix: turn off experimental flag by default while recommending sane defaults to users to configure
* run ci
* chore: fix typings [run ci]
* run ci
* chore: make experiment an e2e option only
* run ci
* chore: address comments in code review
* chore: rename experimentalUseDefaultDocumentDomain to experimentalSkipDomainInjection
* fix regression in shouldInjectionDocumentDomain utility function and add unit tests
* run ci
* chore: rename documentSuperDomainIfExists to superDomain [run ci]
* chore: address comments from code review
* chore: just pass opts through to policyForDomain
* run ci
Co-authored-by: Mike Plummer <mike-plummer@users.noreply.github.com>
* Revert "chore: remove document.domain usage for cross-origin testing (#24945)"
This reverts commit a3d3074e70.
* fix: set origin-agent-cluster=?0 for the spec bridge iframe
* re apply comment that was reverted in 1fa1246b5c
* Update packages/server/lib/routes-e2e.ts
Co-authored-by: Matt Schile <mschile@cypress.io>
* chore: update document.domain immutable target from chrome 106 -> chrome 109
Co-authored-by: Matt Schile <mschile@cypress.io>
* fix: throw error if the cy.origin origin is in the same superDomainOrigin as top.
* testing test tweaks
* 'fix' cypress in cypress tests
* Inject cross origin in google subdomains when not same-origin
* style tweaks
* Ensure strict same-origin check works for google.
* test fixes
* we don't need the location object when we just want the href.
* what is in a name?
* Address PR Comments
* chore: enforce strict origin spec bridges
chore: refactor spec bridges to strictly enforce same origin
fix: wrap fullCrossOrigin injection around feature flag inside buffered response
* fix: do NOT set the initial cypress cookie inside the spec bridge as it is sending unecessary cookies
* chore: simplify the finding cypress in the injection code
* chore: change order in which callback fn is declared
* chore: add spec bridge performance issue to validation tests
* chore: refactor originPolicy to use superDomainOriginPolicy nomenclature and add sameSite/superDomainOrigin policy functions and make originMatch functions match fully same origin policy including sub domains
* chore: change doesAutMatchTopSuperOriginPolicy to doesAUTMatchTopSuperDomainOriginPolicy
* chore: rename originPolicy references to just be origin. Rename superDomainOriginPolicy to superDomainOrigin
* fix: remove duplicate origin keys and add check for remote.origin to return null
* chore: further rename variables to fit origin paradigm
* chore: remove latestActiveSuperDomainOrigin as it is no longer used
* fix: key order in consoleProps yielded test
* remove isAnticipatingCrossOriginResponse as it is no longer available
* chore: update documentation to urlMatchesSameSiteProps to show why the strictPortMatch is an option
* chore: refactor cors package to use a single parse function and update unit tests
* chore: refactor getOrigin to use url origin
* chore: update same-site documentation to now be dependent on cookies
* chore: update same-site policy to be schemeful-same-site policy as we consider protocol mismatches to be not same-site
* Initial async changes
* Small fixes and test updates.
* updating tests
* Fixes for cookie login tests
* remove the onlys
* Most tests passing
* Fix driver tests?
* fix firefox test?
* fix unit tests
* fix tests??
* a better check
* fix integration tests
* minor cleanup
* Comment out tyler fix for 10.0 origin issue
* also fix integration tests
* remove fixmes
* Adding Retries for cookie actions. May break other error tests.
* Address (some) PR comments
* update to warn about cross origin command AUT in assertions
* Fix type errors
* Move document.cookie patch to injection
* Adding iframe patching.
* forward errors prior to attaching
* Add error message when using visit to visit a cross origin site with the onLoad or onBeforeLoad options.
* Attempt to fix test errors.
* more fixes, but not all
* use the origin policy
* Fix types
* more fixes
* consider chromeWebSecurity when checking if you can communicate with the AUT
* firefox
* prevent hangs if before unload happens after on load.
* Fix some ToDos
* code cleanup
* remove quotes
* Code review changes
* more cr changes
* fix tests possibly
* for realz this time
* roll back change
* Fix some flake
* Fix flakey xhr test hopefully.
* oops, forgot communicator changes. need those.
* modify error message to not lose the original error
* read config right derp
* simpler check
* no unused vars
* don't put config on window
* Make isRunnerAbleToCommunicateWithTheAUT a util function instead of attaching it to cypress.
* fix a race condition maybe
* clear document when window is cross origin... we'll see if this breaks anything.
* Retry if querying against the wrong AUT
* use timeout
* Don't print the retrying string unless you're retrying due to command aut origin mismatch
* try handling undefined document
* Code review updates. What could go wrong??
* Apply suggestions from code review
Co-authored-by: Bill Glesias <bglesias@gmail.com>
* minor fixes
* try aut location and move the async state collection.
* fix flake around the loading message, probably
* Fix system tests and some flake around redirect counts.
* Improve error handler prior to attaching.
* Code review suggestions
* use a generated ID when promisifying post message
* clean up promise helper
* skip xhr test until issue is resolved.
* Apply suggestions from code review
Co-authored-by: Chris Breiding <chrisbreiding@users.noreply.github.com>
* use state directly
* Apply suggestions from code review
Co-authored-by: Bill Glesias <bglesias@gmail.com>
* Update packages/driver/src/cypress/error_messages.ts
Co-authored-by: Chris Breiding <chrisbreiding@users.noreply.github.com>
Co-authored-by: Bill Glesias <bglesias@gmail.com>
Co-authored-by: Chris Breiding <chrisbreiding@users.noreply.github.com>
Ryan Manuel