fix: Improve cross-origin cookie handling

packages/app/src/runner/event-manager.ts

@@ -39,7 +39,7 @@ const driverToSocketEvents = 'backend:request automation:request mocha recorder:
 const driverTestEvents = 'test:before:run:async test:after:run'.split(' ')
 const driverToLocalEvents = 'viewport:changed config stop url:changed page:loading visit:failed visit:blank cypress:in:cypress:runner:event'.split(' ')
 const socketRerunEvents = 'runner:restart watched:file:changed'.split(' ')
-const socketToDriverEvents = 'net:stubbing:event request:event script:error'.split(' ')
+const socketToDriverEvents = 'net:stubbing:event request:event script:error cross:origin:automation:cookies'.split(' ')
 const localToReporterEvents = 'reporter:log:add reporter:log:state:changed reporter:log:remove'.split(' ')
 
 /**

packages/driver/cross-origin-testing.md

@@ -121,11 +121,9 @@ Similar to **defaults()** methods needing to be called again, some events may ne
 
 ## Cookies
 
-Having the **AUT** on a different origin than **top** causes issues with cookies being set for the origin in the **AUT**. Cookies have a **SameSite** attribute that can be set to **Strict**, **Lax**, ****or **None**. If **Strict** or **Lax**, cookies will not be set when the site is in an iframe on a different origin from the **top frame**.
+Having the **AUT** on a different origin than **top** causes issues with cookies being set for the origin in the **AUT**. Cookies that would normally be set when a user's app is run outside of Cypress are not set due to it being rendered in an iframe.
 
-In order to counteract this, we currently coerce the **SameSite** value of all cross-origin cookies to be **None**. This is not particularly ideal, since it could lead to unexpected behavior if cookies are set even though they should not be.
-
-There are plans to change the implementation so that coercing the cookies is not necessary, so this behavior will change, but cookies will still need special handling for them to work as expected with a site whose origin is secondary.
+In order to counteract this, we utilize the [proxy](../proxy) to capture cookies from cross-origin responses, store them in our own server-side cookie jar, set them in the browser with automation, and then attach them to cross-origin requests where appropriate. This simulates how cookies behave outside of Cypress.
 
 ## Unsupported APIs
 

packages/driver/cypress.config.ts

@@ -5,6 +5,7 @@ export default defineConfig({
   'hosts': {
     '*.foobar.com': '127.0.0.1',
     '*.idp.com': '127.0.0.1',
+    'localalias': '127.0.0.1',
   },
   'reporter': 'cypress-multi-reporters',
   'reporterOptions': {

packages/driver/cypress/e2e/commands/navigation.cy.js

@@ -1987,7 +1987,7 @@ describe('src/cy/commands/navigation', () => {
             // on 2nd retry add the DOM element
             const win = cy.state('window')
 
-            $('<div id=\'does-not-exist\'>does not exist<div>')
+            $('<div id=\'did-not-exist\'>did not exist<div>')
             .appendTo(win.document.body)
 
             break
@@ -1996,7 +1996,7 @@ describe('src/cy/commands/navigation', () => {
             // and on the 3rd retry add the class
             cy.state('window')
 
-            $('#does-not-exist').addClass('foo')
+            $('#did-not-exist').addClass('foo')
 
             break
           }
@@ -2011,7 +2011,7 @@ describe('src/cy/commands/navigation', () => {
       // make get timeout after 300ms
       // but even though our page does not load for 500ms
       // this does not time out
-      .get('#does-not-exist', { timeout: 300 }).should('have.class', 'foo')
+      .get('#did-not-exist', { timeout: 300 }).should('have.class', 'foo')
     })
 
     describe('errors', () => {