search

cypress-io / cypress

Fast, easy and reliable testing for anything that runs in a browser.
https://cypress.io
MIT License
46.66k stars 3.16k forks source link

Cypress _still_ cannot test sites that implement SRI #18315

Open logicbomb421 opened 2 years ago

logicbomb421 commented 2 years ago

Current behavior

Attempting to run Cypress tests against a site that implements Sub-Resource Integrity checks causes the browser to fail to load the data since it can't find a valid hash for the resource (guessing it's being modified by Cypress for some reason):

Failed to find a valid digest in the 'integrity' attribute for resource '<main app bundle>' with computed SHA-256 integrity '<hash>'. The resource has been blocked.

I found #2393 that seemed to be the exact issue I'm having. When I implemented the suggested fix, "experimentalSourceRewriting": true, the main app bundle that couldn't load (above) does load correctly, and I see the cypress:stripped-integrity="foo" tag that was changed on the main app bundle.

However, our application makes use of multiple source bundles, many of which have their loading deferred like so:

const FlagsDashboard = React.lazy(
  componentLoader(() => import(/* webpackChunkName: "FlagsDashboard" */ './FlagsDashboard'))
);

It appears when these bundles load, the original issue in #2393 is present again:

Failed to find a valid digest in the 'integrity' attribute for resource '<sub bundle>' with computed SHA-256 integrity '<hash>'. The resource has been blocked.
...
many more of these for the other deferred bundles

Desired behavior

Cypress does not interfere with unrelated security features, allowing me to keep them enabled on my site. Right now, my company is forced to remove a security feature and take a ding on a security report just so we can make our test suite pass. Normally this is when I bail on tools and find something less opinionated, but we have put a lot of work into our suites so this is no longer an option.

Test code to reproduce

Create a normal react app with a main bundle and a deferred load bundle. Set the "experimentalSourceRewriting": true config setting. The main bundle should load with the cypress:stripped-integrity tag, but the deferred bundle still fails the SRI check.

Cypress Version

7.7.0

Other

No response

cypress-app-bot commented 1 year ago

This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.

cypress-app-bot commented 1 year ago

This issue has been closed due to inactivity.

ian-gregson-qatalog commented 3 months ago

+1 on this...

Cypress is configured with

  chromeWebSecurity: false,
  experimentalModifyObstructiveThirdPartyCode: true,

But still I get the failure on the integrity check

Failed to find a valid digest in the 'integrity' attribute for resource '...main.5eb7345e.js' with computed SHA-384 integrity 'jjiyirfrWb0sDZ8B7ATTCTIYv187ZZN7YuXzTxzDxonx8XkO06FAFc9H8RG75cTT'. The resource has been blocked.
el-feo commented 2 months ago

We have been experiencing this same issue. Our workaround was to add:

modifyObstructiveCode: false,

It seems like the issue is that Cypress is modifying the JS which causes the integrity check to fail.