search

qentinelqi / qweb

Keyword driven automation for the web
https://github.com/qentinelqi/qweb
Apache License 2.0
40 stars 17 forks source link

QWeb tries to inject JQuery to web pages #139

Closed mbchy closed 8 months ago

mbchy commented 9 months ago

Description QWeb tries to inject JQuery to web pages. If website has a strict Content Security Policy setting, where injecting 3rd party scripts is not allowed, QWeb fills robot logs with error messages:

Unable to check AJAX requests due error: Message: javascript error: Failed to set the 'src' property on 'HTMLScriptElement': This document requires 'TrustedScriptURL' assignment.

The problem seems to lie in setup_xhr_monitor() function defined in QWeb/internal/xhr.py and called from keywords Open Browser and Open Window.

I would propose two possible solutions:

  1. make it possible to switch off the xhr monitor functionality
  2. log the error messages with a different loglevel

This would be helpful if it is not possible to change the CSP settings of the System Under Test.

To Reproduce Steps to reproduce the behavior:

  1. Using QWeb, Open Browser (chrome) to a web page with strict CSP (require-trusted-types-for 'script'; default-src 'self')
  2. Use any keywords (ClickText, VerifyText, TypeText, ...)
  3. End test, open log
  4. Info level error messages should be printed in keyword logs

Expected behavior

  1. Error messages should be logged with debug or trace level
  2. User should be able to configure the xhr_monitor functionality (turn it off)

Screenshots

kuva

System info:

Additional context

About CSP & TrustedTypes:

https://web.dev/articles/trusted-types https://developer.mozilla.org/en-US/docs/Web/API/TrustedScriptURL https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for

tkoukkari commented 9 months ago

Thank you. Yes, those messages should be clearly logged with at minimum "debug" log level. We will change this. For the second part, wait function can be overridden with "Set Wait Function"

mbchy commented 9 months ago

Thank you for quick reply @tkoukkari ! I will try monkey patching the wait function. I'm a bit confused though as Open Browser and Open Window seem to directly call setup_xhr_monitor() which tries to inject the script.

https://github.com/qentinelqi/qweb/blob/529aea5408749a00dccbc7e2b87cf45ebb54f355/QWeb/keywords/browser.py#L351C1-L351C28

https://github.com/qentinelqi/qweb/blob/529aea5408749a00dccbc7e2b87cf45ebb54f355/QWeb/keywords/window.py#L97C32-L98C7

https://github.com/qentinelqi/qweb/blob/529aea5408749a00dccbc7e2b87cf45ebb54f355/QWeb/internal/xhr.py#L24

Am I getting something wrong here?

tkoukkari commented 9 months ago

Thank you for quick reply @tkoukkari ! I will try monkey patching the wait function. I'm a bit confused though as Open Browser and Open Window seem to directly call setup_xhr_monitor() which tries to inject the script.

https://github.com/qentinelqi/qweb/blob/529aea5408749a00dccbc7e2b87cf45ebb54f355/QWeb/keywords/browser.py#L351C1-L351C28

https://github.com/qentinelqi/qweb/blob/529aea5408749a00dccbc7e2b87cf45ebb54f355/QWeb/keywords/window.py#L97C32-L98C7

https://github.com/qentinelqi/qweb/blob/529aea5408749a00dccbc7e2b87cf45ebb54f355/QWeb/internal/xhr.py#L24

Am I getting something wrong here?

Try using "Set Wait Function" with something simple first, for example just waiting for few seconds. I think it should not matter if we try to register that monitor on startup if it's not called anymore later. I could be wrong, old code.

mbchy commented 9 months ago

Setting wait function seemed to fix the issue for now. I will test this more tomorrow. Thank you 👍

tkoukkari commented 8 months ago

Logging level change was released in 3.2.0.