Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve Cookie handling with experimentalSessionAndOrigin enabled #23551

Closed
AtofStryker opened this issue Aug 25, 2022 · 2 comments · Fixed by #23872
Closed

Improve Cookie handling with experimentalSessionAndOrigin enabled #23551

AtofStryker opened this issue Aug 25, 2022 · 2 comments · Fixed by #23872
Assignees
Labels
topic: cookies 🍪 topic: cy.origin Problems or enhancements related to cy.origin command

Comments

@AtofStryker
Copy link
Contributor

AtofStryker commented Aug 25, 2022

What would you like?

If using experimentalSessionAndOrigin, I expect cookies to behave as if the AUT were top, in addition to attaching cookies appropriately given my request options.

Why is this needed?

Currently, with the experimentalSessionAndOrigin flag enabled, the proxy server attempts to manage cross origin cookies via tough-cookie to apply cookies to requests that cannot be set in the browser. This is mainly due to the AUT and top origins possibly not matching after navigating and using cy.origin, attempting to apply/set cookies that would normally work if top and the AUT origins were the same.

After the release of 10.3.0, a few bug reports have been opened about the cookie behavior. Based on discovery, it looks like we may need to rework our strategy to managing cookies when the experimentalSessionAndOrigin flag is enabled, whether or not the user is actively using cy.origin.

Currently with the fix introduced in #23438, cookies are applied optimistically, meaning that cookies that match the current sameSiteContext of the AUT are applied regardless of request options. One can think of this as withCredentials and credentials defaulting to true and include for XmlHttpRequest and fetch respectively, which will cause cookies to potentially leak out of requests when they are not intended to be sent with the given request.

Other

Since addressing these issues in one attempt is likely difficult, several e2e style tests were added in #23438 to showcase current behavior, with FIXME s introduced for incorrect behavior with commented out correct assertions. This should work as a testing base to verify our assertions once we attempt additional fixes on cookie management.

Moving forward, in order to get cookies to work as if they would in a natural browser state, the following needs to be done:

  • Server side cookie jar likely needs to full knowledge of cookies defined through responses and directly in the browser so it can simulate the AUT as top correctly.
  • Requests in the proxy will need to know more information about the request in order to correctly mimc the browser and attach cookies correctly, such as:
    • What request method was used (fetch or XmlHttpRequest) ?
    • If XmlHttpRequest, was withCredentials specified in the request? The server will need to know this to appropriately attach cookies if cross-site / cross-origin requests are sent given the AUT origin. If no option is specified, we can assume XmlHttpRequest will send cookies to all same-site (not same-origin) requests and the server can attach cookies appropriately. This default behavior is different from fetch.
    • If fetch, we need to know if credentials were specified to omit, same-origin, or include. The default is same-origin, which as its name implies will only send requests to the same origin. same-site requests need to specify the include option. Knowing this information allows us to appropriately attach cookies in the server in addition to knowing the AUT origin.

I created this little cookie behavior reproduction repository to showcase what the cookie behavior should look like as opposed to trying to replicate all of these scenarios manually, which is hard to remember and incredibly time consuming

@cypress-bot
Copy link
Contributor

cypress-bot bot commented Oct 3, 2022

The code for this is done in cypress-io/cypress#23872, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

@cypress-bot
Copy link
Contributor

cypress-bot bot commented Oct 11, 2022

Released in 10.10.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v10.10.0, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators Oct 11, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
topic: cookies 🍪 topic: cy.origin Problems or enhancements related to cy.origin command
Projects
None yet
2 participants