Cypress 12.15 broke the ability to run Web Workers in cypress tests

[crfrolik]

Current behavior

Running a web worker in a cypress test after v12.15 results in an error

spec.cy.js:36 Refused to create a worker from 'blob:http://localhost:3000/164681fb-cb4d-414b-8d35-2821c8805feb' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

Running a web worker in a cypress test in v12.14 or earlier does not have this problem.

Desired behavior

Cypress should not generate a CSP error when a web worker is used from within the test (note that this does not happen when a webworker is used in the application-under-test, i.e., inside the iframe).

If it was the Cypress team's intention to break this use case, it should have been done in a major release, not a minor release

Test code to reproduce

https://github.com/crfrolik/CypressWebWorkerTest

Instructions to reproduce are provided in the README.

Cypress Version

12.17.1

Node version

16.20.0

Operating System

Ubuntu 20.04

Debug Logs

The error that is encountered is:

     TypeError: Cannot set property message of [object DOMException] which has only a getter

Because this error occurred during a `before each` hook we are skipping the remaining tests in the current suite: `websocket in webworker`
      at modifyErrMsg (http://localhost:3000/__cypress/runner/cypress_runner.js:164400:15)
      at Object.appendErrMsg (http://localhost:3000/__cypress/runner/cypress_runner.js:164405:10)
      at Runner.<anonymous> (http://localhost:3000/__cypress/runner/cypress_runner.js:167607:76)
      at Runner.emit (http://localhost:3000/__cypress/runner/cypress_runner.js:28203:7)
      at ../driver/node_modules/mocha/lib/runner.js.Runner.fail (http://localhost:3000/__cypress/runner/cypress_runner.js:114863:8)
      at Runner.fail (http://localhost:3000/__cypress/runner/cypress_runner.js:166072:25)
      at ../driver/node_modules/mocha/lib/runner.js.Runner.failHook (http://localhost:3000/__cypress/runner/cypress_runner.js:114901:8)
      at Hook.<anonymous> (http://localhost:3000/__cypress/runner/cypress_runner.js:114975:14)
      at next (http://localhost:3000/__cypress/runner/cypress_runner.js:167997:24)
      at http://localhost:3000/__cypress/runner/cypress_runner.js:168024:13
      at tryCatcher (http://localhost:3000/__cypress/runner/cypress_runner.js:18744:23)
      at Promise._settlePromiseFromHandler (http://localhost:3000/__cypress/runner/cypress_runner.js:16679:31)
      at Promise._settlePromise (http://localhost:3000/__cypress/runner/cypress_runner.js:16736:18)
      at Promise._settlePromise0 (http://localhost:3000/__cypress/runner/cypress_runner.js:16781:10)
      at Promise._settlePromises (http://localhost:3000/__cypress/runner/cypress_runner.js:16861:18)
      at Promise._fulfill (http://localhost:3000/__cypress/runner/cypress_runner.js:16805:18)
      at Promise._resolveCallback (http://localhost:3000/__cypress/runner/cypress_runner.js:16599:57)
      at Promise._settlePromiseFromHandler (http://localhost:3000/__cypress/runner/cypress_runner.js:16691:17)
      at Promise._settlePromise (http://localhost:3000/__cypress/runner/cypress_runner.js:16736:18)
      at Promise._settlePromise0 (http://localhost:3000/__cypress/runner/cypress_runner.js:16781:10)
      at Promise._settlePromises (http://localhost:3000/__cypress/runner/cypress_runner.js:16861:18)
      at Promise._fulfill (http://localhost:3000/__cypress/runner/cypress_runner.js:16805:18)

However, the error that appears in the browser's console log may be more relevant:

spec.cy.js:36 Refused to create a worker from 'blob:http://localhost:3000/164681fb-cb4d-414b-8d35-2821c8805feb' because it violates the following Content Security Policy directie: "script-src 'unsafe-eval'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.)

Other

Our assumption is that the changes made related to #1030 are what caused this.

Note that we have tried using the experimentalCspAllowList option and that has not addressed the issue, e.g.:

  "experimentalCspAllowList": ['script-src-elem', 'script-src', 'default-src', 'form-action', 'child-src', 'frame-src']

[lmiller1990]

Hi, we definitely did not intend to break anything. Thanks for the minimal reproduction, this is really helpful. Let me take a look and isolate the commit that introduced this, and see what we can do.

[lmiller1990]

The reproduction works as expected. I might tag @chrisbreiding, who has deep expertise in this area of the code base.

[zhongsp]

Thanks for working on this issue @lmiller1990, @chrisbreiding . I can provide some clues for your reference.

I think the following changes introduced the breaking change.

cypress/packages/driver/src/util/privileged_channel.ts

Lines 4 to 15 in 1fcdc87

	/**
	* prevents further scripts outside of our own and the spec itself from being
	* run in the spec frame
	* @param specWindow: Window
	*/
	export function setSpecContentSecurityPolicy (specWindow) {
	const metaEl = specWindow.document.createElement('meta')
	metaEl.setAttribute('http-equiv', 'Content-Security-Policy')
	metaEl.setAttribute('content', `script-src 'unsafe-eval'`)
	specWindow.document.querySelector('head')!.appendChild(metaEl)
	}

It seems the changes are part of privileged commands feature that I'm not familiar with. It sets some CSP headers that disallow web worker from running in my scenario.

[c32hedge]

Thanks for the prompt fix! Any word on when this will be available in a release?

[chrisbreiding]

@c32hedge There should be a new release out this week, possibly today, that has the fix

[cypress-bot]

Released in 12.17.2.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v12.17.2, please open a new issue.