Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

window.isSecureContext is false on localhost in forefox #18217

Open
marek-saji opened this issue Sep 23, 2021 · 4 comments
Open

window.isSecureContext is false on localhost in forefox #18217

marek-saji opened this issue Sep 23, 2021 · 4 comments
Labels
browser: firefox E2E Issue related to end-to-end testing existing workaround Triaged Issue has been routed to backlog. This is not a commitment to have it prioritized by the team.

Comments

@marek-saji
Copy link

Current behavior

When running tests in firefox localhost is not treated as secure context

window.isSecureContext === false

Desired behavior

When running tests in firefox localhost should be treated as secure context:

window.isSecureContext === true

Test code to reproduce

https://github.com/marek-saji/cypress-bug-firefox-localhost-secure

Cypress Version

8.4.1

Other

I’m using web crypto API, which requires secure context.

I figured that it seems like something in firefox profile cypress is using. I ran firefox with same parameters that cypress does, sans -profile:

firefox about:blank -marionette -new-instance -foreground -start-debugger-server -no-remote --remote-debugging-port=43557

and isSecureContext on localhost is true, but when I add:

-profile /home/saji/.config/Cypress/cy/production/browsers/firefox-stable/interactive

(and disable proxying in settings) it’s false.
@chrisbreiding chrisbreiding mentioned this issue Mar 21, 2022
Merged
1 task
@cypress-app-bot
Copy link
Collaborator

This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.

@cypress-app-bot cypress-app-bot added the stale no activity on this issue for a long period label May 15, 2023
@th1nkgr33n
Copy link

I was facing this problem as well with following setup (Cypress 12, Node 18, Firefox 112)
We run our E2E on 3 browsers (Chrome, Firefox and WebKit) and only Firefox always failed.

Like the author of the issue I managed to break the problem down to the fact that we use webCryptoAPI to generate a auth session token which is encrytped. (keyword: HKDF)
And cypress starts firefox so that localhost is treaten as a not secure context. (window.isSecureContext = false)

Although I cannot fully explain why, but this helped me, and maybe others.
I tried different stuff but unfortunately something like the cypress config "chromeWebSecurity" not exist for firefox and in the end I'm not quite sure if really needed.

I encountered another problem when I used http://localhost:3000 as baseUrl in combination with an api mock server.
So I give it a try and not using localhost instead using http://127.0.0.1:3000 as cypress e2e.baseUrl and finally it worked.

Best guess that my problem has something to do with the Node17/18 DNS resolving changes in combination of ipv4 and ipv6 other issue.
And running on localhost instead of ip, firefox could not treaten the url as a secure context. Strange enough all possible options are configured inside the FireFox class "nsContentSecurityManager"

Running e2e.baseUrl on http://localhost:3000 I got for window.isSecureContext = false
and running e2e.baseUrl on http://127.0.0.1:3000 I got for window.isSecureContext = true
and everything works fine with the crypto API

// cypress.config.ts
import { defineConfig } from 'cypress'

export default defineConfig({
  experimentalWebKitSupport: true,
  modifyObstructiveCode: false,
  e2e: {
    baseUrl: 'http://127.0.0.1:3000',
    chromeWebSecurity: false,
    viewportHeight: 1080,
    viewportWidth: 1920,
    supportFile: './cypress/support/index.ts',
  }
})

@th1nkgr33n th1nkgr33n mentioned this issue May 25, 2023
Closed
@cypress-app-bot cypress-app-bot removed the stale no activity on this issue for a long period label May 26, 2023
@AtofStryker
Copy link
Contributor

I believe this is due to us setting network.proxy.allow_hijacking_localhost in order to proxy localhost upstream to the cypress proxy server. We found this had side effects with the crypto library being set in #22988 (comment). I don't think this is something we can easily change, but I believe it can be worked around with:

  • using 127.0.0.1 instead of localhost within firefox
  • using a certificate with localhost via https using something like mkcert or similar inside firefox to treat localhost as a secure context

@AtofStryker AtofStryker added the Triaged Issue has been routed to backlog. This is not a commitment to have it prioritized by the team. label May 30, 2023
@AtofStryker AtofStryker removed their assignment May 30, 2023
@AtofStryker AtofStryker added existing workaround E2E Issue related to end-to-end testing labels May 30, 2023
@rolfspuler
Copy link

A workaround in Firefox is this undocumented config flag: network.proxy.testing_localhost_is_secure_when_hijacked.
Found it by chance when searching for a solution.

This seems to work:

    setupNodeEvents(on, config) {
      on('before:browser:launch', (browser, launchOptions) => {
        if (browser.family === 'firefox') {
          launchOptions.preferences['network.proxy.testing_localhost_is_secure_when_hijacked'] = true
        }
        return launchOptions
      })
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
browser: firefox E2E Issue related to end-to-end testing existing workaround Triaged Issue has been routed to backlog. This is not a commitment to have it prioritized by the team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@marek-saji @jennifer-shehane @AtofStryker @th1nkgr33n @cypress-app-bot @rolfspuler