Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Selective CSP header stripping from HTTPResponse #26483

Merged
merged 27 commits into from
Jun 14, 2023
Merged

feat: Selective CSP header stripping from HTTPResponse #26483

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
de633a1
feat: Selective CSP header directive stripping from HTTPResponse
pgoforth Apr 11, 2023
b66f778
feat: Selective CSP header directive permission from HTTPResponse
pgoforth May 23, 2023
517cf6c
Address Review Comments:
pgoforth May 24, 2023
52f78a7
chore: refactor driver test into system tests to get better test
AtofStryker May 24, 2023
f2b5bc1
Address Review Comments:
pgoforth May 31, 2023
85cfaff
chore: Add `frame-src` and `child-src` to conditional CSP directives
pgoforth Jun 2, 2023
2886cd9
chore: Rename `isSubsetOf` to `isArrayIncludingAny`
pgoforth Jun 2, 2023
4a19a59
chore: fix CLI linting types
AtofStryker Jun 5, 2023
ebbe44c
chore: fix server unit tests
AtofStryker Jun 5, 2023
952d092
chore: fix system tests within firefox and webkit
AtofStryker Jun 5, 2023
d2057be
chore: add form-action test
AtofStryker Jun 5, 2023
361a9eb
chore: update system test snapshots
AtofStryker Jun 5, 2023
bfd150d
chore: skip tests in webkit due to form-action flakiness
AtofStryker Jun 5, 2023
e1142ec
chore: Move 'sandbox' and 'navigate-to' into `unsupportedCSPDirectives`
pgoforth Jun 5, 2023
c240e41
chore: update system test snapshots
AtofStryker Jun 6, 2023
afa19c1
chore: fix system tests
AtofStryker Jun 6, 2023
7219304
chore: do not run csp tests within firefox or webkit due to flake iss…
AtofStryker Jun 6, 2023
d3c9a9a
chore: attempt to increase intercept delay to avoid race condition
AtofStryker Jun 7, 2023
c599a2b
Merge branch 'develop' of github.com:cypress-io/cypress into issue-10…
AtofStryker Jun 7, 2023
16310ff
Merge branch 'develop' into issue-1030/pgoforth/load-site-witout-csp-…
AtofStryker Jun 8, 2023
980b4f7
Merge branch 'develop' of github.com:cypress-io/cypress into issue-10…
AtofStryker Jun 8, 2023
41945cd
chore: update new snapshots with video defaults work
AtofStryker Jun 8, 2023
27b6a7c
chore: update changelog
AtofStryker Jun 8, 2023
c91a96a
Merge branch 'develop' into issue-1030/pgoforth/load-site-witout-csp-…
mschile Jun 13, 2023
76b20db
Merge branch 'develop' into issue-1030/pgoforth/load-site-witout-csp-…
AtofStryker Jun 13, 2023
2796e4e
Merge branch 'develop' into issue-1030/pgoforth/load-site-witout-csp-…
AtofStryker Jun 14, 2023
161a603
Merge branch 'develop' into issue-1030/pgoforth/load-site-witout-csp-…
AtofStryker Jun 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion cli/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
<!-- See the ../guides/writing-the-cypress-changelog.md for details on writing the changelog. -->
## 12.13.1
## 12.14.0

_Released 06/06/2023 (PENDING)_

**Features:**

- Cypress can now test pages with targeted `Content-Security-Policy` and `Content-Security-Policy-Report-Only` header directives by specifying the allow list via the [`experimentalCspAllowList`](https://docs.cypress.io/guides/references/configuration#Experimental-Csp-Allow-List) configuration option. Addresses [#1030](https://github.com/cypress-io/cypress/issues/1030). Addressed in [#26483](https://github.com/cypress-io/cypress/pull/26483)

**Bugfixes:**

- Fixes issue not detecting Angular 16 dependencies in launchpad. Addresses [#26852](https://github.com/cypress-io/cypress/issues/26852)
Expand Down
15 changes: 15 additions & 0 deletions cli/types/cypress.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2672,6 +2672,8 @@ declare namespace Cypress {
force: boolean
}

type experimentalCspAllowedDirectives = 'default-src' | 'child-src' | 'frame-src' | 'script-src' | 'script-src-elem' | 'form-action'

type scrollBehaviorOptions = false | 'center' | 'top' | 'bottom' | 'nearest'

/**
Expand Down Expand Up @@ -3048,6 +3050,19 @@ declare namespace Cypress {
* @default 'top'
*/
scrollBehavior: scrollBehaviorOptions
/**
* Indicates whether Cypress should allow CSP header directives from the application under test.
* - When this option is set to `false`, Cypress will strip the entire CSP header.
* - When this option is set to `true`, Cypress will only to strip directives that would interfere
* with or inhibit Cypress functionality.
* - When this option to an array of allowable directives (`[ 'default-src', ... ]`), the directives
* specified will remain in the response headers.
*
* Please see the documentation for more information.
* @see https://on.cypress.io/configuration#experimentalCspAllowList
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note to myself that we will need to deploy the on links (see release process step 2)for this to work. I will take care of creating the manifest PR for this next week

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mschile since this isn't making it into today's release you may have to handle it for the next release

* @default false
*/
experimentalCspAllowList: boolean | experimentalCspAllowedDirectives[],
/**
* Allows listening to the `before:run`, `after:run`, `before:spec`, and `after:spec` events in the plugins file during interactive mode.
* @default false
Expand Down
1 change: 1 addition & 0 deletions packages/app/cypress.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ export default defineConfig({
reporterOptions: {
configFile: '../../mocha-reporter-config.json',
},
experimentalCspAllowList: false,
experimentalInteractiveRunEvents: true,
component: {
experimentalSingleTabRunMode: true,
Expand Down
5 changes: 5 additions & 0 deletions packages/app/cypress/fixtures/debug-Failing/gql-CloudViewerAndProject_RequiredData.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,11 @@
"from": "default",
"field": "execTimeout"
},
{
"value": false,
"from": "default",
"field": "experimentalCspAllowList"
},
{
"value": false,
"from": "default",
Expand Down
5 changes: 5 additions & 0 deletions packages/app/cypress/fixtures/debug-Failing/gql-HeaderBar_HeaderBarQuery.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@
"from": "default",
"field": "execTimeout"
},
{
"value": false,
"from": "default",
"field": "experimentalCspAllowList"
},
{
"value": false,
"from": "default",
Expand Down
5 changes: 5 additions & 0 deletions packages/app/cypress/fixtures/debug-Failing/gql-SpecsPageContainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -444,6 +444,11 @@
"from": "default",
"field": "execTimeout"
},
{
"value": false,
"from": "default",
"field": "experimentalCspAllowList"
},
{
"value": false,
"from": "default",
Expand Down
5 changes: 5 additions & 0 deletions packages/app/cypress/fixtures/debug-Passing/gql-CloudViewerAndProject_RequiredData.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,11 @@
"from": "default",
"field": "execTimeout"
},
{
"value": false,
"from": "default",
"field": "experimentalCspAllowList"
},
{
"value": false,
"from": "default",
Expand Down
5 changes: 5 additions & 0 deletions packages/app/cypress/fixtures/debug-Passing/gql-HeaderBar_HeaderBarQuery.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@
"from": "default",
"field": "execTimeout"
},
{
"value": false,
"from": "default",
"field": "experimentalCspAllowList"
},
{
"value": false,
"from": "default",
Expand Down
5 changes: 5 additions & 0 deletions packages/app/cypress/fixtures/debug-Passing/gql-SpecsPageContainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1445,6 +1445,11 @@
"from": "default",
"field": "execTimeout"
},
{
"value": false,
"from": "default",
"field": "experimentalCspAllowList"
},
{
"value": false,
"from": "default",
Expand Down
3 changes: 3 additions & 0 deletions packages/config/__snapshots__/index.spec.ts.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ exports['config/src/index .getDefaultValues returns list of public config keys 1
},
'env': {},
'execTimeout': 60000,
'experimentalCspAllowList': false,
'experimentalFetchPolyfill': false,
'experimentalInteractiveRunEvents': false,
'experimentalRunAllSpecs': false,
Expand Down Expand Up @@ -121,6 +122,7 @@ exports['config/src/index .getDefaultValues returns list of public config keys f
},
'env': {},
'execTimeout': 60000,
'experimentalCspAllowList': false,
'experimentalFetchPolyfill': false,
'experimentalInteractiveRunEvents': false,
'experimentalRunAllSpecs': false,
Expand Down Expand Up @@ -204,6 +206,7 @@ exports['config/src/index .getPublicConfigKeys returns list of public config key
'e2e',
'env',
'execTimeout',
'experimentalCspAllowList',
'experimentalFetchPolyfill',
'experimentalInteractiveRunEvents',
'experimentalRunAllSpecs',
Expand Down
Loading