Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cypress incorrectly validates domain of cookies in 3.5.0 #5656

Closed
donotello opened this issue Nov 11, 2019 · 7 comments · Fixed by #5657 or #5862

Comments

@donotello
Copy link
Contributor

@donotello donotello commented Nov 11, 2019

Current behavior:

Cookies are failing to set for subdomains during cy.request.
E.g. we call /auth of auth.test.server and it returns token cookie with .test.server. In this case cookie is not set.

Desired behavior:

Cookie is set in above example.

Steps to reproduce: (app code and test code)

Look at packages/server/lib/request.coffee#setCookiesOnBrowser:

return if not tough.domainMatch(cookie.domain, parsedUrl.hostname)

And at tough-cookie documentation:

domainMatch(str,domStr[,canonicalize=true])
Answers "does this real domain match the domain in a cookie?". The str is the "current" domain-name and the domStr is the "cookie" domain-name. Matches according to RFC6265 Section 5.1.3, but it helps to think of it as a "suffix match".

So it should be:

return if not tough.domainMatch(parsedUrl.hostname, cookie.domain)

Versions

>=3.5.0

@tozes

This comment has been minimized.

Copy link

@tozes tozes commented Nov 25, 2019

+1, as discussed here, we have exactly the same issue which is stopping us for upgrading from 3.4.1

@fernandopasik

This comment has been minimized.

Copy link

@fernandopasik fernandopasik commented Nov 25, 2019

@tozes your link was broken
#5688 (comment)

@cypress-bot

This comment has been minimized.

Copy link

@cypress-bot cypress-bot bot commented Nov 26, 2019

The code for this is done in cypress-io/cypress#5657, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

@jennifer-shehane jennifer-shehane changed the title Cypress incorrectly validates domain of cookies Cypress incorrectly validates domain of cookies in 3.5.0 Nov 27, 2019
@cypress-bot

This comment has been minimized.

Copy link

@cypress-bot cypress-bot bot commented Nov 27, 2019

Released in 3.7.0.

@donotello

This comment has been minimized.

Copy link
Contributor Author

@donotello donotello commented Nov 28, 2019

@jennifer-shehane , @flotwig , @brian-mann,

Shame on my guys, I've missed another incorrect usage of domainMatch in cypress here: https://github.com/cypress-io/cypress/blob/develop/packages/server/lib/browsers/cdp_automation.ts#L24

Which basically means that this issue is only partially resolved in #5657. Unfortunately looks like we have incorrect tests for that code as well: #5816.

I'm not sure if I will be able to pick this up soon enough. Could please one of you reopen this one and do the fix?

@tozes FYI

@flotwig

This comment has been minimized.

Copy link
Member

@flotwig flotwig commented Dec 3, 2019

@donotello That's my bad, I noticed that the tests passed without that patch so I left it out. I forgot to go back and double-check it against tough-cookie's documentation, but I believe you're correct. I'll open a PR.

@cypress-bot

This comment has been minimized.

Copy link

@cypress-bot cypress-bot bot commented Dec 6, 2019

The code for this is done in cypress-io/cypress#5862, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
5 participants
You can’t perform that action at this time.