chromeWebSecurity workaround for Cross origin errors no longer working.

[jjp390]

Current behavior:

Using { "chromeWebSecurity": false } is not being respected when the test is running since the upgrade from Chrome 66 -> 67.

CypressError: Cypress detected a cross origin error happened on page load:

  Blocked a frame with origin "url" from accessing a cross-origin frame.

Before the page load, you were bound to the origin policy:
  url2

Desired behavior:

Previously the bypass would allow the test to run and pass over the error

Steps to reproduce:

https://github.com/jjp390/cypress-test-tiny
From here, run npx cypress open and then run the test spec.js and it will throw the error at the end despite the added file in cypress.json

Versions

Cypress 3.0.1, OSX 10.13.5, Chrome 67

[konrad-arena]

chrome 69 (unstable) seems to be fine

[poornimachinnaraj]

Is there any proper solution for this problem,I have the same issue.

[alinadrescher]

Is there any update on this? We have the same issue. Also using chrome 69 seems to not work!

[poornimachinnaraj]

Nope ..I gave up looking for solution.I am planning in by passing the logging in test for my case.

…

________________________________ From: alinadrescher <notifications@github.com> Sent: Wednesday, June 20, 2018 7:12:21 AM To: cypress-io/cypress Cc: poornimachinnaraj; Comment Subject: Re: [cypress-io/cypress] chromeWebSecurity workaround for Cross origin errors no longer working. (#1951) Is there any update on this? We have the same issue. Also using chrome 69 seems to not work! — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#1951 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AiDr80qcrKn9rM6vOPpkgTVLiyjrvwsHks5t-jwlgaJpZM4UoZR9>.

[Peggy1012]

I have the same problem with update Chrome.

[brian-mann]

I looked into this and it's because in Chrome 67 they've begun to randomly roll out Site Isolation.

It's currently a Known Isssue documented here that this breaks the --disable-web-security flag. http://www.chromium.org/Home/chromium-security/site-isolation

I believe that because it is a random rollout then only a subset of users are experiencing this. Did you know that Chrome does A/B experiments and collects the usage?

It's likely that either Chrome 69 (currently Canary) has either fixed this or, or on that browser you do not have Site Isolation enabled.

TO FIX THIS:

Add the --disable-site-isolation-trials argument to chrome via https://docs.cypress.io/api/plugins/browser-launch-api.html#Usage

We'll go ahead and update the flags to include this by default.

IN THE FUTURE:

Chrome upgrades should never really affect you this much. For instance, nobody is ever forcing you to upgrade. Whenever newer versions come out that break things in Cypress you should:

• Try Canary to see if its fixed
• Use the built in Cypress Electron browser
• Download the previous version of Chrome you were using by downloading Chromium

You can download Chromium here: https://chromium.woolyss.com/download/

This site also has links to download previous version of Chromium:

• https://chromium.woolyss.com/#mac-64-bit
• https://github.com/macchrome/macstable/releases/tag/v67.0.3396.87-r550428-macOS

[neutcomp]

I am correct that this peace should be placed in the plugins/index.js file? If so it did not helped me fixing the memory/Aw, Snap issue.

on('before:browser:launch', (browser = {}, args) => {
    if (browser.name === 'chrome') {
      args.push('--disable-site-isolation-trials');

      return args
    }
  })

[jennifer-shehane]

@neutcomp Yes, see the correct usage here: https://on.cypress.io/browser-launch-api#Usage

[neutcomp]

@jennifer-shehane do you mean yes for that it should be placed in plugins/index.js file or that the code is correct? Or both :) Because I used indeed the link you placed to figured out how to implement this args.push functionality.

[jennifer-shehane]

You are correct that it should be placed in the plugins/index.js file.

You have the code you pasted wrapped in the module.exports = (on, config) => {} piece? Because it does look correctly written. We'd have to look in more about why it does not work for you.

[jennifer-shehane]

If you wanted to download Chromium versions (say, future versions) here is the link for this:

• https://github.com/macchrome/chromium/tags

[slaby93]

Hey, I've disabled chromeWebSecurity as well as added before:browser:launch as suggested above.
When I try to test payment process ( 302 to for example paypal ) my whole browser is redirected there, not only iframe. This means whole cypress dashboard is disappearing.

Testing cross-domain behavior is critical for my company as we need to test our integration with external services ( like PayPal ).

[pinalbhatt]

me too... tried as suggested here but no luck.

[UmasankarN]

I am facing "uncaught securityError:Blocked a frame with origin from accessing a frame with orgin .Protocols,domains and ports must match" error when trying open the iframe based application which deals with localhost and localhost:8088 in Google chrome. This is not happening in IE. Please let me know if any work around for this

[brian-mann]

@UmasankarN try upgrading to 3.1.2 and/or try setting chromeWebSecurity: false

[sankarsp]

I'd noticed an error, when I try to search the records .>
Cypress package version: 3.1.3
Error: Blocked a frame with origin "https://*******.com" from accessing a cross-origin frame.
Note : it was working thro manual search.

[jsjoeio]

For those who come here after me, the only thing I had to do was modify the cypress.json file and add:

{
  "chromeWebSecurity": false
}

Reference: Disabling Web Security from the Cypress Docs

[johnaschroeder]

@jsjoeio Thanks, your comment did the trick.

[nataliejuner]

Hello -- I am currently running on Chrome 74 and still having the problem of:
SecurityError: Blocked a frame with origin "http://localhost:3000" from accessing a cross-origin frame.

I updated my Cypress plugin index.js file to reflect this:

module.exports = (on, config) => {
	on('before:browser:launch', (browser = {}, args) => {
		// browser will look something like this
		// {
		//   name: 'chrome',
		//   displayName: 'Chrome',
		//   version: '63.0.3239.108',
		//   path: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
		//   majorVersion: '63'
		// }

		if (browser.name === 'chrome') {
			args.push('--disable-site-isolation-trials');

			return args
		}

		if (browser.name === 'electron') {
			args['fullscreen'] = true

			// whatever you return here becomes the new args
			return args
		}
	})
}

If you have any tips and or solutions please let me know and I thank you in advance!!

[GirijaSelvakumar]

Hi..

i have added ChromeWebSecurity : false to my cypress.json file and added the above piece of code to plugins index file, still seeing the cross domain errors.

Can anyone help me in this please, thanks.

[roma-glushko]

The same issue here:

cypress/plugins/index.js:

// ***********************************************************
// This example plugins/index.js can be used to load plugins
//
// You can change the location of this file or turn off loading
// the plugins file with the 'pluginsFile' configuration option.
//
// You can read more here:
// https://on.cypress.io/plugins-guide
// ***********************************************************

// This function is called when a project is opened or re-opened (e.g. due to
// the project's config changing)

module.exports = (on, config) => {
    // `on` is used to hook into various events Cypress emits
    // `config` is the resolved Cypress config
    on('before:browser:launch', (browser = {}, args) => {
        // browser will look something like this
        // {
        //   name: 'chrome',
        //   displayName: 'Chrome',
        //   version: '63.0.3239.108',
        //   path: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
        //   majorVersion: '63'
        // }

        if (browser.name === 'chrome') {
            // `args` is an array of all the arguments
            // that will be passed to Chrome when it launchers
            args.push('--disable-site-isolation-trials')

            // whatever you return here becomes the new args
            return args
        }
    })
}

cypress.json:

{
    "baseUrl": "https://example.com",
    "chromeWebSecurity": false
}

homepage.spec.js:

describe('homepage', function() {
    it('visual', function() {
        cy.visit('/')
        cy.wait(200)

        cy.screenshot('homepage', { capture: "fullPage", disableTimersAndAnimations: true })
    })
})

It fails on almost all available engines for me:

• Chrome 77
• Canary 79

[goktugy]

I am having the same problem.

[goktugy]

I have added the changes to \plugins\index.js and cypress.json and still same outcome.

Something as simple as a "login" should not be this difficult. (selenium, puppeteer is much easier)

[goktugy]

cypress.json

{"chromeWebSecurity": false}

[goktugy]

index.js

module.exports = (on, config) => {
// on is used to hook into various events Cypress emits
// config is the resolved Cypress config

on("before:browser:launch", (browser = {}, args) => {
// console.log(browser, args); // see what all is in here!

// browser will look something like this
// {
//   name: 'chrome',
//   displayName: 'Chrome',
//   version: '63.0.3239.108',
//   path: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
//   majorVersion: '63'
// }

// args are different based on the browser
// sometimes an array, sometimes an object

if (browser.name === "chrome") {
  args.push("--disable-site-isolation-trials");

  // whatever you return here becomes the new args
  return args;
}

});
}

[hieutrandn9889]

This bug still happen to for chrome 79

[jennifer-shehane]

This is a very old issue. The exact case of which was closed over a year and a half ago in 3.0.3.

If you are experiencing a similar issue, open a new issue with a complete reproducible example. Test code + application to visit so that we can address it.