Closed csabapalfi closed 6 years ago
Curl'ing that URL gives me...
I'm assuming the cookie that ends up on a new line is the one causing the problem. TBH I'm surprised the web works as well as it does.
I mean, Microsoft spent over $100 million dollars a year building IE6 and we know where that ended up.
TIL it appears any cookie name with an underscore is ignored by chrome. The new line causes the crash in node
.
I think Incapsula (the Web Application Firewall that we use) drops that cookie only when certain conditions are met. I wonder if it's deliberately trying to break proxying the page to prevent scraping/abuse. Tbh I should probably reach out to those guys, too.
Raised this with our security team here who are reaching out to Incapsula to confirm the reason behind the invalid cookies. I'm sure it's going to be some weird quirk.
The code for this is done, but this has yet to be released. We'll update this issue and reference the changelog when it's released.
Hey @csabapalfi did your team ever figure this out?
I'm having similar issues (outside of Cypress) where Incap is returning this invalid cookie, and crashing my node-http-proxy. :/
I think it’s one of their built-in bot deterring features or something similar. We had to reach out to them and it got turned off for our domain.
That’s where my own investigation has lead me. Appreciate the answer thank you! On Apr 16, 2019, 1:25 PM -0400, Csaba Palfi notifications@github.com, wrote:
I think it’s one of their built-in bot deterring features or something similar. We had to reach out to them and it got turned off for our domain. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Is this a Feature or Bug?
Bug
Current behavior:
When a server responds with an invalid
Set-Cookie
header (e.g. containing a unicode character) then Cypress crashes.Desired behavior:
When a server responds with an invalid
Set-Cookie
header (e.g. containing a unicode character) then Cypress could:How to reproduce:
See test code below.
Test code:
Additional Info (images, stack traces, etc)
Our WAF (Incapsula) might be dropping that invalid cookie intentionally.
The error thrown: