Unexpected Chrome SecurityError in Headless mode

[Hawxy]

Current behavior

We recently did an upgrade of one of our pipelines from Cypress 13.6.1 & Chrome 107 to Cypress 13.15.2 & Chrome 130. This resulted in random cy.session failures appearing in our Github Actions pipelines when a test redirects to Auth0. At first I thought this was a Cypress issue, but I've worked out that the issue only appears when running new versions of Chrome in headless mode. Downgrading to Chrome 109 the issue goes away. Opening Cypress via open is unable to reproduce the issue.

We see the below message, but checking the replay we can tell the page loaded fine:

Timed out after waiting 60000ms for your remote page to load.

Your page did not fire its load event within 60000ms.

Checking the console logs, we get the below:

Uncaught SecurityError: Failed to read a named property 'Cypress' from 'Window': Blocked a frame with origin "https://{our-custom-auth0-domain}" from accessing a cross-origin frame. at https://{our-custom-auth0-domain}/u/login/identifier

This only occurs after a number of already-successful logins in other specs and the spec that fails seems to be whichever one is 5th or 6th in the test suite.

Desired behavior

Not crash with a SecurityError

Test code to reproduce

To reproduce this you need to target a website that has a same-origin redirect to an Auth0 login page (product.ourdomain.dev -> login.ourdomain.dev), which I've put together. Cross-origin redirects are not impacted by this issue (localhost -> login.ourdomain.dev).

https://github.com/Hawxy/cypress-same-origin-crash

Run with npx cypress run --browser chrome (or edge) --headless

Should fail within a few specs.

Cypress Version

13.15.2

Node version

20/22 (not a factor)

Operating System

Ubuntu/Windows (not a factor)

Debug Logs

No response

Other

No response

[jennifer-shehane]

@Hawxy Thanks for providing a fully reproducible example! This is due to this issue: https://github.com/cypress-io/cypress/issues/29590 where Chrome has begun changing their behavior around the use of document.domain. We intend to fully address this in Cypress 14 (which we're working on), but it will require some changes to test code.

To workaround the issue today:

• Add experimentalSkipDomainInjection to your config file with the domains where this is erroring.

  experimentalSkipDomainInjection:  [
    '*.inxcloud.dev',
  ],

• Then you'll need to wrap any subdomain visits/redirects with cy.origin.

   cy.visit('/authenticate?homeRealm=0');
   cy.origin('https://login.au.inxcloud.dev', () => {
      cy.wait(1500);
      cy.get('#username').type("placeholder");
   })

This will be required in v14 (except without the experimental flag), so you'll need to make these origin changes eventually anyway.