Open AtofStryker opened 5 months ago
The solution we are moving forward with, in Cypress 14:
document.domain
injection will be removed. document.domain
is deprecated, and is explicitly prevented when the site in question is operating in an Origin-Agent-Cluster
context. This has the following breaking changes:
cy.origin
will be required in order to interact with any page that has a different hostname than the first visit()
of the test.cookie
commands will align more closely with same-origin restrictions.document.domain
injection will revert to its v13 behavior. This configuration option will be marked as deprecated, and will be removed in Cypress 15.
What would you like?
I would like to consider removing document.domain injection and making
cy.visit()
require a full navigation when a subdomain navigation occurs, changing the cookie APIs to set the cookie on the current domain (not super domain), and to better adhere to full origin specifications without strange exceptions when it comes to origin and domain nomenclature.document.domain modification deprecation The origin specification
Why is this needed?
With the introduction of Chrome 119, Chrome and other browsers now bucket all requests to an origin server with a given Origin-Agent-Cluster key:
Cypress ran into this in it's own system tests in #29391 and we patched a work around internally (see thread on PR).
This means the
Agent-Origin-Cluster
header needs to be set on the first page request. However, this is difficult for Cypress for a few reasons:Cypress only injects into
cy.origin()
or the Application Under Test (AUT). It is sometimes impossible to know when injection is going to be required in the future for a request that has already been sent to an origin server, which gives us two options:Agent-Origin-Cluster: ?0
on every origin server page request, which is not only a bad security practice, but almost guarantees we will be continuing an uphill battle fighting browser security, which we don't want.We remove
document.domain
injection, which would likely fix a slew of problems:Fixes cookies implicitly locally as requests would now attach correct cookies for given domain requests
For example, look at the following cypress spec:
These tests have different behavior depending on the order they are run and which
window.top
domain is set first, which contrasts our best practices on test determinism. Adhereing closer to the browser specification and doing a document reload makes sure cookies are sent in the correct context.cy.origin()
now becomes more clear, which needs to be used on any origin navigation and not odd exceptions like sub domain navigation.Other
No response