Skip to content

/ cypress

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Framebusting on 3rd party sites break Cypress automation #886

Closed
brian-mann opened this issue Nov 7, 2017 · 4 comments
Closed

Framebusting on 3rd party sites break Cypress automation #886

brian-mann opened this issue Nov 7, 2017 · 4 comments
Assignees
@brian-mann
Labels
type: unexpected behavior
Milestone
2.0.0

Comments

@brian-mann
Copy link
Member

@brian-mann brian-mann commented Nov 7, 2017
edited

Sites that implement old school security measures such as clickjacking or framebusting break Cypress.
@brian-mann
Copy link
Member Author

@brian-mann brian-mann commented Feb 11, 2018
edited

A study of common framebusting / clickjacking techniques.

https://seclab.stanford.edu/websec/framebusting/framebust.pdf

We will likely implement enough to cover the bases described here on page 3

unique sites conditional statement
38% if (top != self)
22.5% if (top.location != self.location)
13.5% if (top.location != location)
8% if (parent.frames.length > 0)
5.5% if (window != top)
5.5% if (window.top !== window.self)
2% if (window.self != window.top)
2% if (parent && parent != window)
2% if (parent && parent.frames && parent.frames.length>0)
2% if((self.parent&&!(self.parent===self))&&(self.parent.frames.length!=0))
@brian-mann brian-mann self-assigned this Feb 11, 2018
@brian-mann brian-mann added this to the 2.0.0 milestone Feb 11, 2018
brian-mann added a commit that referenced this issue Feb 11, 2018
@brian-mann
server, driver: fixes #886 redefine self + parent to prevent framebus…
Loading status checks…
9143636 
…ting and clickjacking security measures

- add modifyObjectiveCode config, true by default
This was referenced Feb 12, 2018
Closed
Closed
Closed
Closed
Closed
Closed
@brian-mann
Copy link
Member Author

@brian-mann brian-mann commented Feb 16, 2018

Released in 2.0.0.
@jennifer-shehane jennifer-shehane mentioned this issue Mar 29, 2018
Closed
@jennifer-shehane jennifer-shehane mentioned this issue Feb 19, 2019
Closed
@miohtama
Copy link

@miohtama miohtama commented Jul 20, 2020

I have encountered a script that is not correctly fixed by the current Cypress network layer modification. What would be the best place to discuss how to update the framebuster support to cover this?

Specifically, it is a Xsolla login iframe https://xsolla.com/products/login
@jennifer-shehane
Copy link
Member

@jennifer-shehane jennifer-shehane commented Jul 20, 2020

@miohtama Please open a new issue with a fully reproducible example that we can run. There may be a specific edge case with the issue that we need more detail to fix.
@cypress-io cypress-io locked as resolved and limited conversation to collaborators Jul 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@brian-mann brian-mann

Labels
type: unexpected behavior
Projects
None yet
Milestone
2.0.0
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@miohtama @brian-mann @jennifer-shehane