no message (+1 squashed commit)

Squashed commits: [af2cb43ff8] chore: Move 'sandbox' and 'navigate-to' into `unsupportedCSPDirectives` - Add additional system tests - Update snapshots and unit test
cypress-io · Jun 5, 2023 · 1b5b4fb · 1b5b4fb
1 parent bfd150d
commit 1b5b4fb
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 5 deletions.
diff --git a/cli/types/cypress.d.ts b/cli/types/cypress.d.ts
@@ -2672,7 +2672,7 @@ declare namespace Cypress {
     force: boolean
   }
 
-  type experimentalCspAllowedDirectives = 'default-src' | 'child-src' | 'frame-src' | 'script-src' | 'script-src-elem' | 'sandbox' | 'form-action' | 'navigate-to'
+  type experimentalCspAllowedDirectives = 'default-src' | 'child-src' | 'frame-src' | 'script-src' | 'script-src-elem' | 'form-action'
 
   type scrollBehaviorOptions = false | 'center' | 'top' | 'bottom' | 'nearest'
 

diff --git a/packages/config/src/options.ts b/packages/config/src/options.ts
@@ -201,7 +201,7 @@ const driverConfigOptions: Array<DriverConfigOption> = [
   }, {
     name: 'experimentalCspAllowList',
     defaultValue: false,
-    validation: validate.validateAny(validate.isBoolean, validate.isArrayIncludingAny('script-src-elem', 'script-src', 'default-src', 'sandbox', 'form-action', 'navigate-to', 'child-src', 'frame-src')),
+    validation: validate.validateAny(validate.isBoolean, validate.isArrayIncludingAny('script-src-elem', 'script-src', 'default-src', 'form-action', 'child-src', 'frame-src')),
     overrideLevel: 'never',
     requireRestartOnChange: 'server',
   }, {

diff --git a/packages/proxy/lib/http/util/csp-header.ts b/packages/proxy/lib/http/util/csp-header.ts
@@ -8,7 +8,7 @@ export const nonceDirectives = ['script-src-elem', 'script-src', 'default-src']
 
 export const problematicCspDirectives = [
   ...nonceDirectives,
-  'child-src', 'frame-src', 'sandbox', 'form-action', 'navigate-to',
+  'child-src', 'frame-src', 'form-action',
 ] as Cypress.experimentalCspAllowedDirectives[]
 
 export const unsupportedCSPDirectives = [
@@ -19,6 +19,14 @@ export const unsupportedCSPDirectives = [
    * top-level frame.
    */
   'frame-ancestors',
+  /**
+   * The `navigate-to` directive is not yet fully supported, so we are erring on the side of caution
+   */
+  'navigate-to',
+  /**
+   * The `sandbox` directive seems to affect all iframes on the page, even if the page is a direct child of Cypress
+   */
+  'sandbox',
   /**
    * Since Cypress might modify the DOM of the application under test, `trusted-types` would prevent the
    * DOM injection from occurring.

diff --git a/packages/server/test/unit/config_spec.js b/packages/server/test/unit/config_spec.js
@@ -573,7 +573,7 @@ describe('lib/config', () => {
       })
 
       context('experimentalCspAllowList', () => {
-        const experimentalCspAllowedDirectives = JSON.stringify(['script-src-elem', 'script-src', 'default-src', 'sandbox', 'form-action', 'navigate-to', 'child-src', 'frame-src']).split(',').join(', ')
+        const experimentalCspAllowedDirectives = JSON.stringify(['script-src-elem', 'script-src', 'default-src', 'form-action', 'child-src', 'frame-src']).split(',').join(', ')
 
         it('passes if false', function () {
           this.setup({ experimentalCspAllowList: false })
@@ -600,7 +600,7 @@ describe('lib/config', () => {
         })
 
         it('passes if subset of Cypress.experimentalCspAllowedDirectives[]', function () {
-          this.setup({ experimentalCspAllowList: ['default-src', 'sandbox'] })
+          this.setup({ experimentalCspAllowList: ['default-src', 'form-action'] })
 
           return this.expectValidationPasses()
         })

diff --git a/...cts/e2e/cypress/e2e/experimental_csp_allow_list_spec/with_allow_list_custom_or_true.cy.ts b/...cts/e2e/cypress/e2e/experimental_csp_allow_list_spec/with_allow_list_custom_or_true.cy.ts
@@ -39,6 +39,25 @@ describe('experimentalCspAllowList is custom or true', () => {
 
       cy.get('h1').contains('CSP Script Test Modified').should('be.visible')
     })
+
+    it('sandbox is always stripped', () => {
+      // Since sandbox is inclusive, all other sandbox actions would be restricted except for `allow-downloads`
+      visitUrl.searchParams.append('csp', `sandbox 'allow-downloads'`)
+      cy.visit(visitUrl.toString())
+
+      // expect the form to post and navigate to a new page, meaning the sandbox directive was stripped
+      cy.get('#submit').click()
+      cy.contains('Cannot POST /').should('exist')
+    })
+
+    it('navigate-to is always stripped', () => {
+      visitUrl.searchParams.append('csp', `navigate-to 'none'`)
+      cy.visit(visitUrl.toString())
+
+      // expect the form to post and navigate to a new page, meaning the navigate-to directive was stripped
+      cy.get('#submit').click()
+      cy.contains('Cannot POST /').should('exist')
+    })
   })
 
   describe('allowed', () => {