Feat: certain Cypress commands should not be bound to `window` in order to avoid cross origin issues

[AtofStryker]

What would you like?

I would like the following commands to not have a dependency on the window object to circumvent cross origin issues

No reason to need window as these can be returned through the automation client (either BiDi or CDP)

• cy.url()
• cy.hash()

Not possible ( or at least not trivial) This likely can be accomplished with Runtime.evaluate in CDP and script.evaluate in BiDi

• cy.go()
• cy.reload()
• cy.title()
• cy.location()

Why is this needed?

With the introduction of #30858, the goal was to prevent Cypress from getting into weird states where a command would silently fail and hang the Cypress application when invoked in a cross-origin context when it wasn't expected to be. The goal here was to avoid issues like seen in #30848 where the errors were either non-existent or cryptic. This meant enforcing origin checks additionally on the following commands:

• cy.scrollTo()
• cy.window()
• cy.document()
• cy.title()
• cy.url()
• cy.location()
• cy.hash()
• cy.go()
• cy.reload()

However, since the release of Cypress 14, there have been some reported issues, in particular #31100 where users need to conditionally check the url the AUT (Application Under Test) is on in order to see if two factor authentication is needed. We typically do not recommend conditional testing, but this is an incredibly valid use case. We think the best way to solve this is to make certain commands not reference the window where possible, so we can provide users with the best error context possible while providing consistent commands suite user needs.

Other

No response

[AtofStryker]

We also should consider removing the origin constraint from cy.window() with this work as there are also valid use cases there where certain properties can be referenced on the window, though most cannot be accessed

[AtofStryker]

Looks like the two commands, which are likely the most used in a cross origin context are:

• cy.url() - available on the CDP frame Tree and Bidi browsing context
• cy.hash() - available on the CDP frame Tree and Bidi browsing context (might need to parse the url hash in the firefox automation client)

This might need to wait until Cypress 15 for a few reasons:

1. We are now calling the automation client in cy.url() and cy.hash() with Commands.add instead of Commands.addQuery, which changes the signature of the Cypress command. I don't believe we can fit the automation client into the addQuery since the function needs to be retry-able and is synchronous as opposed to a single call out to the automation client
2. To support this in Firefox, we need to use BiDi as the automation client, which we have not cut over from the web extension just yet. The way the automation client in the server works currently is it can use CDP/BiDi or the web extension, but not both. So I think that means misc: Replace @packages/extension methods that are now implemented by WebDriver BiDi when BiDi is enabled #30221 is a prerequisite to this work.

Here is the spike branch for future reference

[sclavijosuero]

@AtofStryker , I believe this is related to the issue I'm experiencing: #23799 (comment)

[AtofStryker]

@AtofStryker , I believe this is related to the issue I'm experiencing: #23799 (comment)

@sclavijosuero thank you for bringing it to my attention. I responded here