chromeWebSecurity setting does not take effect in Electron browser

[alexborovkov]

Current behavior:

I make get request to external url.

 .route(/documents\/9\/embed_url/, {
   url:
     "https://casefleet-cypress-fixtures.s3.amazonaws.com/document-viewer/between/4pages/0.html",
 })

In Cypress 5.0 I've got error that request blocked by CORS policy.

Desired behavior:

In previous Cypress version 4.12.1 it worked without error.

I think it can be result of updating electron from 8.3.1 to 9.0.5

Versions

Cypress 5.0
Electron

[jennifer-shehane]

@AleksandrBorovkov Any reason you think this is due to the Electron upgrade specifically? Does this error only happen in Electron? It doesn't happen in Chrome or Firefox?

Unfortunately we'll have to close this issue if there is not enough information to reproduce the problem. This does not mean that your issue is not happening - it just means that we do not have a path to move forward.

Is there any way to provide a reproducible example?

[alexborovkov]

My issue is similar to #8412
I also have "chromeWebSecurity": false setting. It works correctly in Chrome, but not in Electron

[flotwig]

Yes, it seems like there is an open bug in Electron 9.x (which we upgraded to in Cypress 5) with disabling webSecurity: electron/electron#23664

Here is a workaround that should work based on this comment:

Set the ELECTRON_EXTRA_LAUNCH_ARGS environment variable to disable-features=OutOfBlinkCors to forcefully disable chromeWebSecurity in Cypress 5.

For example, in Linux or macOS:

ELECTRON_EXTRA_LAUNCH_ARGS=disable-features=OutOfBlinkCors cypress run ...

[AhmedAlsaab]

Yeah we're getting the same issue as of Cypress 5.0 with Headless Electron, which seemingly worked fine before we upgraded.

Here's a log of my browser options:

browser  {
  preferences: {
    width: 1280,
    height: 720,
    show: false,
    automationMiddleware: {},
    projectRoot: omitted 
    browsers: [ [Object], [Object] ],
    proxyUrl: 'http://localhost:50823',
    userAgent: null,
    proxyServer: 'http://localhost:50823',
    socketIoRoute: '/__socket.io',
    chromeWebSecurity: false,
    url: omitted 
    isTextTerminal: true,
    browser: {
      name: 'electron',
      channel: 'stable',
      family: 'chromium',
      displayName: 'Electron',
      version: '83.0.4103.122',
      path: '',
      majorVersion: 83,
      info: 'Electron is the default browser that comes with Cypress. This is the default browser that runs in headless mode. Selecting this browser is useful when debugging. The version number indicates the underlying Chromium version that Electron uses.',
      isHeadless: true,
      isHeaded: false
    },
    x: null,
    y: null,
    devTools: false,
    minWidth: 100,
    minHeight: 100,
    contextMenu: true,
    partition: 'persist:run-25568',
    trackState: {
      width: 'browserWidth',
      height: 'browserHeight',
      x: 'browserX',
      y: 'browserY',
      devTools: 'isBrowserDevToolsOpen'
    },
    frame: true,
    recordFrameRate: null,
    webPreferences: {
      partition: null,
      webSecurity: true,
      nodeIntegration: false,
      backgroundThrottling: false
    }
  },
  extensions: [],
  args: [],
  concat: [Function],
  push: [Function],
  unshift: [Function],
  slice: [Function],
  pop: [Function],
  shift: [Function],
  splice: [Function],
  filter: [Function],
  map: [Function],
  forEach: [Function],
  reduce: [Function],
  reverse: [Function],
  includes: [Function],
  [Symbol(Symbol.iterator)]: [Function: bound values]
}

We're making a request to a service outside of the baseURL and can easily reproduce this issue with Cypress 5.0

Switching to Chrome and adding --browser chrome --headless to the Cypress run script works and we can effectively bypass CORS issues as chromeWebSecurity is set to false. However, we're stuck with Electron for the time being and this issue is somewhat blocking us unless we decide to revert.

I have tried your suggestions @flotwig but it doesn't do the trick, it might just be me not setting it correctly, I have set the env var in my shell, on my machine and even added to the cypress run script yet I can't get the "workaround" to work. Here's the run script:

"cy:x": "cypress run --env ELECTRON_EXTRA_LAUNCH_ARGS=disable-features=OutOfBlinkCors --spec=\"cypress/integration/my-tests.spec.js\"",

Anything else I should try or amend?

[flotwig]

@AhmedAlsaab it should be an OS environment variable, not a Cypress.env environment variable:

macOS/Linux:

ELECTRON_EXTRA_LAUNCH_ARGS=disable-features=OutOfBlinkCors cypress run --spec=\"cypress/integration/my-tests.spec.js\"

If you're on Windows, you can npm i cross-env and use that to set env vars:

cross-env ELECTRON_EXTRA_LAUNCH_ARGS=disable-features=OutOfBlinkCors cypress run --spec=\"cypress/integration/my-tests.spec.js\"

[AhmedAlsaab]

If you're on Windows, you can npm i cross-env and use that to set env vars:

cross-env ELECTRON_EXTRA_LAUNCH_ARGS=disable-features=OutOfBlinkCors cypress run --spec=\"cypress/integration/my-tests.spec.js\"

Awesome that did the trick and is a feasible workaround for us! Thanks @flotwig

[cypress-bot]

The code for this is done in cypress-io/cypress#8406, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

[cypress-bot]

Released in 5.4.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v5.4.0, please open a new issue.