/cypress

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Framebusting on 3rd party sites break Cypress automation #886

Closed
brian-mann opened this Issue Nov 7, 2017 · 2 comments

Comments

Assignees

@brian-mann brian-mann

Labels
Milestone
  2.0.0
2 participants
@brian-mann @jennifer-shehane
@brian-mann
Member

brian-mann commented Nov 7, 2017
edited

Sites that implement old school security measures such as clickjacking or framebusting break Cypress.

@brian-mann brian-mann added the type: unexpected behavior label Nov 7, 2017

@jennifer-shehane jennifer-shehane added the stage: proposal label Nov 7, 2017

@brian-mann

This comment has been minimized.

Show comment
Hide comment
@brian-mann

brian-mann Feb 11, 2018

Member

A study of common framebusting / clickjacking techniques.

https://seclab.stanford.edu/websec/framebusting/framebust.pdf

We will likely implement enough to cover the bases described here on page 3

unique sites conditional statement
38% if (top != self)
22.5% if (top.location != self.location)
13.5% if (top.location != location)
8% if (parent.frames.length > 0)
5.5% if (window != top)
5.5% if (window.top !== window.self)
2% if (window.self != window.top)
2% if (parent && parent != window)
2% if (parent && parent.frames && parent.frames.length>0)
2% if((self.parent&&!(self.parent===self))&&(self.parent.frames.length!=0))
Member

brian-mann commented Feb 11, 2018
edited

A study of common framebusting / clickjacking techniques.

https://seclab.stanford.edu/websec/framebusting/framebust.pdf

We will likely implement enough to cover the bases described here on page 3

unique sites conditional statement
38% if (top != self)
22.5% if (top.location != self.location)
13.5% if (top.location != location)
8% if (parent.frames.length > 0)
5.5% if (window != top)
5.5% if (window.top !== window.self)
2% if (window.self != window.top)
2% if (parent && parent != window)
2% if (parent && parent.frames && parent.frames.length>0)
2% if((self.parent&&!(self.parent===self))&&(self.parent.frames.length!=0))

@brian-mann brian-mann self-assigned this Feb 11, 2018

@brian-mann brian-mann added this to the 2.0.0 milestone Feb 11, 2018

brian-mann added a commit that referenced this issue Feb 11, 2018

@brian-mann
server, driver: fixes #886 redefine self + parent to prevent framebus… 
…ting and clickjacking security measures

- add modifyObjectiveCode config, true by default
Loading status checks…
9143636

@brian-mann brian-mann closed this in a648ee4 Feb 12, 2018

This was referenced Feb 12, 2018

Closed
Closed
Closed
Closed
Closed
Open
@brian-mann

This comment has been minimized.

Show comment
Hide comment
@brian-mann

brian-mann Feb 16, 2018

Member

Released in 2.0.0.
Member

brian-mann commented Feb 16, 2018

Released in 2.0.0.

@jennifer-shehane jennifer-shehane referenced this issue Mar 29, 2018

Open

Application not working with Chrome-64. Failing to get URL "/__/#/tests/" #1497

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment