fix: only set allowedOrigin when needed

package.json

@@ -11,7 +11,7 @@
     "changelog": "standard-version -a --skip.tag=true --skip.commit=true --skip.bump=true"
   },
   "devDependencies": {
-    "axe-test-fixtures": "github:dequelabs/axe-test-fixtures#v1",
+    "axe-test-fixtures": "github:dequelabs/axe-test-fixtures",
     "standard-version": "^9.0.0"
   }
 }

packages/axe-core-api/e2e/selenium/spec/api_spec.rb

@@ -200,7 +200,7 @@ def recursive_compact(thing)
     $driver.get fixture "/nested-iframes.html"
     res = with_js($axe_pre_43x) { run_axe }
 
-    expect(res.results.testEngine["version"]).to eq "4.0.3"
+    expect(res.results.testEngine["version"]).to eq "4.2.3"
 
     label_vio = res.results.violations.find { |vio| vio.id == :label }
     expect(label_vio).not_to be_nil
@@ -320,4 +320,46 @@ def recursive_compact(thing)
     ft_inc = res.results.incomplete.find { |inc| inc.id == :'frame-tested' }
     expect(ft_inc).to be_nil
   end
+
+  describe "allowedOrigin" do
+    def get_allowed_origin
+      return $driver.execute_script("return axe._audit.allowedOrigins")
+    end
+
+    it "should not set when running runPartial and not legacy mode" do
+      $driver.get fixture "/index.html"
+      run_axe
+      allowed_origin = get_allowed_origin
+      expect(allowed_origin).to eq ["http://localhost:8000"]
+      expect(allowed_origin.length).to eq 1
+    end
+
+    it "should set when running runPartial and legacy mode" do
+      $driver.get fixture "/index.html"
+      with_legacy_mode { run_axe }
+      allowed_origin = get_allowed_origin
+      expect(allowed_origin).to eq ["http://localhost:8000"]
+      expect(allowed_origin.length).to eq 1
+    end
+
+    it "should not set when running legacy source and legacy mode" do
+      $driver.get fixture "/index.html"
+      with_legacy_mode {
+        with_js($axe_pre_43x) {
+          run_axe
+        }
+      }
+      allowed_origin = get_allowed_origin
+      expect(allowed_origin).to eq ["http://localhost:8000"]
+      expect(allowed_origin.length).to eq 1
+    end
+
+    it "should set when running legacy source and not legacy mode" do
+      $driver.get fixture "/index.html"
+      with_js($axe_pre_43x) { run_axe }
+      allowed_origin = get_allowed_origin
+      expect(allowed_origin).to eq ["*"]
+      expect(allowed_origin.length).to eq 1
+    end
+  end
 end

packages/axe-core-api/lib/axe/core.rb

@@ -25,10 +25,16 @@ def call_verbatim(callable)
       callable.call @page
     end
 
+    def self.has_run_partial?(page)
+      page.evaluate_script <<-JS
+          typeof window.axe.runPartial === 'function'
+      JS
+    end
+
     private
 
     def use_run_partial
-      has_run_partial? and not Axe::Configuration.instance.legacy_mode
+      Core.has_run_partial?(@page) and not Axe::Configuration.instance.legacy_mode
     end
 
     def load_axe_core(source)
@@ -40,12 +46,6 @@ def load_axe_core(source)
       loader.call source
     end
 
-    def has_run_partial?
-      @page.evaluate_script <<-JS
-          typeof window.axe.runPartial === 'function'
-      JS
-    end
-
     def already_loaded?
       @page.evaluate_script <<-JS
         window.#{JS_NAME} &&

packages/axe-core-api/lib/loader.rb

@@ -1,4 +1,5 @@
 require_relative "./axe/configuration"
+require_relative "./axe/core"
 require_relative "./hooks"
 
 module Common
@@ -25,8 +26,8 @@ def call(source, is_top_level = true)
     private
 
     def set_allowed_origins
-      allowed_origins = "<unsafe_all_origins>"
-      allowed_origins = "<same_origin>" if Axe::Configuration.instance.legacy_mode
+      allowed_origins = "<same_origin>"
+      allowed_origins = "<unsafe_all_origins>" if !Axe::Configuration.instance.legacy_mode && !Axe::Core::has_run_partial?(@page)
       @page.execute_script "axe.configure({ allowedOrigins: ['#{allowed_origins}'] });"
     end