Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Framebusting on 3rd party sites break Cypress automation #886

Closed
brian-mann opened this issue Nov 7, 2017 · 4 comments
Closed

Framebusting on 3rd party sites break Cypress automation #886

brian-mann opened this issue Nov 7, 2017 · 4 comments
Assignees
@brian-mann
Labels
type: unexpected behavior User expected result, but got another
Milestone
2.0.0

Comments

@brian-mann
Copy link
Member

brian-mann commented Nov 7, 2017
edited

Sites that implement old school security measures such as clickjacking or framebusting break Cypress.
@brian-mann brian-mann added the type: unexpected behavior User expected result, but got another label Nov 7, 2017
@jennifer-shehane jennifer-shehane added the stage: proposal 💡 No work has been done of this issue label Nov 7, 2017
@brian-mann
Copy link
Member Author

brian-mann commented Feb 11, 2018
edited

A study of common framebusting / clickjacking techniques.

https://seclab.stanford.edu/websec/framebusting/framebust.pdf

We will likely implement enough to cover the bases described here on page 3

unique sites conditional statement
38% if (top != self)
22.5% if (top.location != self.location)
13.5% if (top.location != location)
8% if (parent.frames.length > 0)
5.5% if (window != top)
5.5% if (window.top !== window.self)
2% if (window.self != window.top)
2% if (parent && parent != window)
2% if (parent && parent.frames && parent.frames.length>0)
2% if((self.parent&&!(self.parent===self))&&(self.parent.frames.length!=0))

@brian-mann brian-mann self-assigned this Feb 11, 2018
@brian-mann brian-mann added this to the 2.0.0 milestone Feb 11, 2018
brian-mann added a commit that referenced this issue Feb 11, 2018
@brian-mann
server, driver: fixes #886 redefine self + parent to prevent framebus…
9143636 
…ting and clickjacking security measures

- add modifyObjectiveCode config, true by default
This was referenced Feb 12, 2018
Closed
Closed
Closed
Closed
Closed
Closed
@brian-mann
Copy link
Member Author

Released in 2.0.0.

@jennifer-shehane jennifer-shehane mentioned this issue Mar 29, 2018
Closed
@jennifer-shehane jennifer-shehane removed stage: proposal 💡 No work has been done of this issue labels Jan 16, 2019
@jennifer-shehane jennifer-shehane mentioned this issue Feb 19, 2019
Closed
@miohtama
Copy link

I have encountered a script that is not correctly fixed by the current Cypress network layer modification. What would be the best place to discuss how to update the framebuster support to cover this?

Specifically, it is a Xsolla login iframe https://xsolla.com/products/login

@jennifer-shehane
Copy link
Member

@miohtama Please open a new issue with a fully reproducible example that we can run. There may be a specific edge case with the issue that we need more detail to fix.

@cypress-io cypress-io locked as resolved and limited conversation to collaborators Jul 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@brian-mann brian-mann

Labels
type: unexpected behavior User expected result, but got another
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
3 participants
@miohtama @brian-mann @jennifer-shehane