After updating to Cypress 10.4.0 localStorage and sessionStorage are not populated with part of login happening in cy.origin() and login process fails

[Wilhop]

Current behavior

Before Cypress 10.4 update, the test framework had the current workflow:

1. In each test, beforeEach runs Commands.login()
2. Commands.login() contains the login wrapped inside cy.session to preserve session data
3. Inside the cy.session, part of the login is inside cy.origin, because a part of login process is done in secondary domain
4. Rest of the steps are done in the initial first domain

Problem with part 4: now after Cypress 10.4 update, when it returns from the secondary domain, it looks like both localStorage and sessionStorage are emptied, thus the test cannot continue without the data stored in both of the storages.

Desired behavior

cy.session() should preserve localStorage and sessionStorage as documented.

Test code to reproduce

import { Commands } from '../support/commands';
beforeEach(() => {
    cy.viewport(1412, 937);
    cy.log('I run this text and login before every test in every spec file!');
    Commands.login(Cypress.env("username"), Cypress.env("password"));
});

../support/commands.ts

public static login = (username: string, password: string): void => {
        cy.session([username, password], () => {

	    // Visit main page, we are in firstdomain.com
            cy.visit(Cypress.env("testUrl"));

            // Click the button in the firstdomain that redirects to secondary domain
            cy.get(':nth-child(1) > .--span-s-12 > .c-button > .button-container > .button-text').click();

            // Commands that need to run in another domain
            // Anything that runs in the secondary domain needs to be wrappen inside cy.origin for the test to continue
            cy.origin('different.domain.com', { args: [username, password] }, ([username, password]) => {
                // Enter login info in secondary domain
                cy.get('#email').click();
                cy.get('#email').type(username);
                cy.get('#password').click();
                cy.get('#password').type(password);
                cy.get('#next').click();
            });
            
            // Now we're redirected back at the original firstdomain.com, so we need to continue commands outside of cy.origin
	    // PROBLEM: In Cypress 10.4.0 the sessionStorage and localStorage are not preserved at this step, at least it looks like that from DevTools

            // Select company from list, which can't be found in 10.4 because it's not in the correct page
            cy.contains("72", { timeout: 6000 }).click();
            
            // Do other stuff in firstdomain.com..

            // Session ends    
        });
    };

Cypress Version

10.4.0

Other

This worked fine until 10.3.2

[rlam3]

There was a huge develop->master merge in the last 24hrs. #23065

[emilyrohrbough]

@Wilhop Thanks for logging the issue. Can you provide additional details on the behavior and can you provide a reproducible example?

I put together this example repo and am unable to reproduce the issue you are seeing. The local storage is being saved correctly and consistently when comparing 10.3.1 and 10.4.0 when using cy.session() and cy.origin().

[Wilhop]

I tried to narrow the problem down a bit by making the login just a test without a cy.session(). I tried removing cy.origin() out of the picture as well, but chromeWebSecurity: false in cypress.config.js is not woking anymore - is this normal in version 10.4?

Problem persists: it seems that localStorage and sessionStorage are never being populated in Cypress 10.4 in our login workflow. The logic is quite complex, but basically when we return from the second domain in Azure login service wrapped in cy.origin() -> the application starts populating both localStorage and sessionStorage.

I'm not sure how I could give a working example without giving real addresses and login information.

The test below works in Cypress 10.3.1 and fails in 10.4. In 10.4 when I observe the storages with DevTools while running Cypress test, it never gets the values needed. I'm quite sure it has something to do with cy.origin() and getting back from it, but I could be very wrong.

`
describe("Try to login as a test", () => {
    it("Logs in", () => {
        // We start in first domain
        cy.visit("/");
        // Clicking this button will go to the second domain
        cy.get(':nth-child(1) > .--span-s-12 > .c-button > .button-container > .button-text').click();
        // Commands that need to run in another domain other than the baseUrl
        // Anything that runs in the secondary domain needs to be wrappen inside cy.origin for the test to continue
        cy.origin('second.domain.com', () => {
            // Enter login info
            cy.get('#email').click();
            cy.get('#email').type("emailvalue....");
            cy.get('#password').click();
            cy.get('#password').type("passwordvalue....");
            cy.get('#next').click();
        });
        // Now we're back at the original domain, so we need to continue commands outside of cy.origin
        // Select company 72 from list
        cy.contains("72", { timeout: 20000 }).click();
    });
});`

[AtofStryker]

HI @Wilhop. I see the issue is still persisting for you, but were you able to produce the issue in @emilyrohrbough 's example repo?

[Wilhop]

@AtofStryker Just making sure I understand correctly:
a/ reproduce an error using the example repo and the tests already existing there?
-> if this case, then all tests are green in the example repo if I run it
b/ add my failing test case to the example repository and see if it fails in there as well?
-> if this case, then yes my test case will fail in the example repo as well
c/ try to create a new test case in the repo that can be shared (doesn't have live addresses, authentication) where one could replicate the problem?

Thanks in advance, I'm not that familiar with open-source projects (yet) :)

[emilyrohrbough]

@Wilhop, yes, the ideal/best option is to try and reproduce your issue in the example repo by adding the code that is closest to your test-code (or your test code if possible). The simplest reproducible example is best to isolate and identify the root-cause.

[Wilhop]

As the code is login code and with 3rd party (Azure) login, I couldn't find a way to share an example that wouldn't expose sensitive data. After trying to debug the problem for several days, we didn't find anything on our application that would cause this behavior. However in Cypress, we see that after cy.origin() block ends, the API calls required for our app just don't happen as they happened in 10.3.1. See image, where GET/POST calls should continue to fire and responses would have been stored to storage.

Here is the debug log where one can see the differences happening. Everything looks pretty similar until 10.3.1 calls "*/b2c_1_local/oauth2/v2.0/token" and 10.4 just doesn't. Site name changed for sensitivity purposes.

Cypress 10.3.1 working example login

 cypress:net-stubbing:server:intercept-response InterceptResponse { req: { url: '/tfp/testsiteb2c.onmicrosoft.com/b2c_1_local/v2.0/.well-known/openid-configuration' }, request: undefined } +1s
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +83ms
  cypress:server:remote-states getting remote state: { auth: undefined, origin: 'https://b2clogin.com', strategy: 'http', fileServer: null, domainName: 'b2clogin.com', props: { port: '443', tld: 'com', domain: 'b2clogin' } } for: https://b2clogin.com +83ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:server:remote-states getting remote state: { auth: undefined, origin: 'https://b2clogin.com', strategy: 'http', fileServer: null, domainName: 'b2clogin.com', props: { port: '443', tld: 'com', domain: 'b2clogin' } } for: https://b2clogin.com +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'fi', domain: 'testmysite' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +1ms
  cypress:server:remote-states getting remote state: { auth: undefined, origin: 'https://b2clogin.com', strategy: 'http', fileServer: null, domainName: 'b2clogin.com', props: { port: '443', tld: 'com', domain: 'b2clogin' } } for: https://b2clogin.com +1ms
  cypress:server:browsers:chrome continueRequest: { requestId: 'interception-job-64.0' } +100ms
  cypress:network:cors Parsed URL { port: '443', tld: 'fi', domain: 'testmysite' } +9ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +1ms
  cypress:server:remote-states getting remote state: { auth: undefined, origin: 'https://b2clogin.com', strategy: 'http', fileServer: null, domainName: 'b2clogin.com', props: { port: '443', tld: 'com', domain: 'b2clogin' } } for: https://testsiteb2c.b2clogin.com/testsiteb2c.onmicrosoft.com/b2c_1_local/oauth2/v2.0/token +10ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +1ms
  cypress:server:remote-states getting remote state: { auth: undefined, origin: 'https://b2clogin.com', strategy: 'http', fileServer: null, domainName: 'b2clogin.com', props: { port: '443', tld: 'com', domain: 'b2clogin' } } for: https://b2clogin.com +1ms
  cypress:server:stream_buffer appending chunk to buffer { bytesWritten: 0, chunkLength: 1586 } +94ms
  cypress:network:agent addRequest called { isHttps: true, href: '**https://testsiteb2c.b2clogin.com/testsiteb2c.onmicrosoft.com/b2c_1_local/oauth2/v2.0/token'** } +94ms
  cypress:network:agent got family { family: 4, href: '**https://testsiteb2c.b2clogin.com/testsiteb2c.onmicrosoft.com/b2c_1_local/oauth2/v2.0/token**' } +0ms
  cypress:server:stream_buffer stream buffer writeable final called +1ms
  cypress:server:request received status code & headers on request { requestId: 'request45', statusCode: 200, headers: { 'content-type': 'application/json; charset=utf-8', 'set-cookie': [ 'x-ms-cpim-trans=; domain=testsiteb2c.b2clogin.com; expires=Thu, 09-Aug-2012 06:50:41 GMT; path=/; SameSite=None; secure; HttpOnly' ] } } +176ms
  cypress:server:request successful response received { requestId: 'request45' } +0ms
  cypress:net-stubbing:server:intercept-response InterceptResponse { req: { url: '/testsiteb2c.onmicrosoft.com/b2c_1_local/oauth2/v2.0/token' }, request: undefined } +177ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +164ms
  cypress:server:remote-states getting remote state: { auth: undefined, origin: 'https://b2clogin.com', strategy: 'http', fileServer: null, domainName: 'b2clogin.com', props: { port: '443', tld: 'com', domain: 'b2clogin' } } for: https://b2clogin.com +164ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:server:remote-states getting remote state: { auth: undefined, origin: 'https://b2clogin.com', strategy: 'http', fileServer: null, domainName: 'b2clogin.com', props: { port: '443', tld: 'com', domain: 'b2clogin' } } for: https://b2clogin.com +1ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +1ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'fi', domain: 'testmysite' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:server:remote-states getting remote state: { auth: undefined, origin: 'https://b2clogin.com', strategy: 'http', fileServer: null, domainName: 'b2clogin.com', props: { port: '443', tld: 'com', domain: 'b2clogin' } } for: https://b2clogin.com +0ms
  cypress:server:browsers:chrome continueRequest: { requestId: 'interception-job-65.0' } +184ms
  cypress:network:cors Parsed URL { port: '443', tld: 'fi', domain: 'testmysite' } +17ms
  cypress:network:cors Parsed URL { port: '443', tld: 'fi', domain: 'testmysite' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'fi', domain: 'testmysite' } +2ms
  cypress:server:remote-states getting remote state: { auth: null, origin: 'https://online.testmysite.fi', strategy: 'http', fileServer: null, domainName: 'testmysite.fi', props: { port: '443', tld: 'fi', domain: 'testmysite' } } for: **https://online.testmysite.fi/testsoftware/-/-/-/api/Enviroment/GetProgramVersion +19ms**


**Cypress 10.4 not working example login, same test**

cypress:server:remote-states getting remote state: { auth: undefined, origin: 'https://b2clogin.com', strategy: 'http', fileServer: null, domainName: 'b2clogin.com', props: { port: '443', tld: 'com', domain: 'b2clogin' } } for: https://b2clogin.com +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'fi', domain: 'testmysite' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'fi', domain: 'testmysite' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +0ms
  cypress:server:socket-base backend:request { eventName: 'cross:origin:automation:cookies:received', args: [] } +92ms
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +4ms
  cypress:server:remote-states getting remote state: { auth: undefined, origin: 'https://b2clogin.com', strategy: 'http', fileServer: null, domainName: 'b2clogin.com', props: { port: '443', tld: 'com', domain: 'b2clogin' } } for: https://b2clogin.com +4ms
  cypress:server:browsers:chrome continueRequest: { requestId: 'interception-job-64.0' } +112ms
  cypress:network:cors Parsed URL { port: '443', tld: 'fi', domain: 'testmysite' } +12ms
  cypress:network:cors Parsed URL { port: '443', tld: 'fi', domain: 'testmysite' } +0ms
  cypress:network:cors Parsed URL { port: '443', tld: 'fi', domain: 'testmysite' } +1ms
  cypress:server:remote-states getting remote state: { auth: null, origin: 'https://online.testmysite.fi', strategy: 'http', fileServer: null, domainName: 'testmysite.fi', props: { port: '443', tld: 'fi', domain: 'testmysite' } } for: **https://online.testmysite.fi/testsoftware/-/-/-/api/Enviroment/GetProgramVersion +14ms**
  cypress:network:cors Parsed URL { port: '443', tld: 'com', domain: 'b2clogin' } +1ms
  cypress:server:remote-states getting remote state: { auth: undefined, origin: 'https://b2clogin.com', strategy: 'http', fileServer: null, domainName: 'b2clogin.com', props: { port: '443', tld: 'com', domain: 'b2clogin' } } for: https://b2clogin.com +0ms
  cypress:server:stream_buffer stream buffer writeable final called +107ms

[Wilhop]

Also if there is a workaround cy.origin() in 10.4, then I'd be happy to try it out. Our whole Cypress test suite is broken because we have no way of logging in.

To get working tests the suit was downgraded to 10.3.1.

[AtofStryker]

@Wilhop I have a possible hunch that might be related to this #23132 (comment). Would you be able to run with DEBUG=cypress-verbose:proxy:http in 10.4.0 and 10.3.1 and post both debug logs here? I have a feeling we might be applying incorrect cookie logic that might have some downstream impacts.

[Wilhop]

I cleaned up a small portion of the logs with verbose:proxy:http.

Some differences in the log I noticed just before the test fails:
1.In 10.4 "IncomingRequest add cookies to request: x-ms-cpim-sso:testappb2c.onmicrosoft.com_0=" does not happen. It only adds x-ms-cpim-csrf.
Note: I'm not too familiar with Azure login, but the docs suggest it's used for maintaining the SSO-session, which means if its missing it might break the flow. I can't replicate it because intercepting calls inside cy.origin() is not allowed.

2. In 10.4 the line "Incoming request GET-https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v2.0/.well-known/openid-configuration matches known pre-request:" does not happen
3. And then after that, in 10.4 obviously the POST requests do not happen, and when the POST requests don't happen and we don't get required data in response, logic after that will fail.

Logs just before the point where newer version fails, from Cypress 10.3.1

cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingRequest proxying request { req: { method: 'GET', proxiedUrl: 'https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v2.0/.well-known/openid-configuration', headers: { host: 'testappb2c.b2clogin.com', connection: 'keep-alive', 'sec-ch-ua': '', 'sec-ch-ua-mobile': '?0', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', 'sec-ch-ua-platform': '', accept: '*/*', origin: 'https://test.testapp.fi', 'sec-fetch-site': 'cross-site', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', referer: 'https://test.testapp.fi/', 'accept-encoding': 'gzip, deflate, br', 'accept-language': 'fi' } } } +1s
  cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingRequest existing cookies on request:  +2ms
  cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingRequest add cookies to request: x-ms-cpim-sso:testappb2c.onmicrosoft.com_0=ssotoken123; x-ms-cpim-csrf=csrftoken123 +0ms 
  cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingRequest waiting for prerequest +0ms
  cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingRequest Incoming request GET-https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v2.0/.well-known/openid-configuration matches known pre-request: { requestId: '26388.241', method: 'GET', url: 'https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v2.0/.well-known/openid-configuration', headers: { 'sec-ch-ua': '', Referer: 'https://test.testapp.fi/', 'sec-ch-ua-mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', 'sec-ch-ua-platform': '' }, resourceType: 'fetch', originalResourceType: 'Fetch' } +0ms
  cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingResponse received response { req: { method: 'GET', proxiedUrl: 'https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v2.0/.well-known/openid-configuration', headers: { host: 'testappb2c.b2clogin.com', connection: 'keep-alive', 'sec-ch-ua': '', 'sec-ch-ua-mobile': '?0', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', 'sec-ch-ua-platform': '', accept: '*/*', origin: 'https://test.testapp.fi', 'sec-fetch-site': 'cross-site', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', referer: 'https://test.testapp.fi/', 'accept-encoding': 'gzip', 'accept-language': 'fi', cookie: 'x-ms-cpim-sso:testappb2c.onmicrosoft.com_0=ssotoken123; x-ms-cpim-csrf=csrftoken123' } }, incomingRes: { headers: { 'cache-control': 'no-store, must-revalidate, no-cache', 'content-type': 'application/json; charset=utf-8', 'set-cookie': [Array], 'x-ms-gateway-requestid': '9999', 'access-control-allow-origin': 'https://test.testapp.fi', 'access-control-allow-methods': 'GET, OPTIONS', 'x-frame-options': 'SAMEORIGIN', public: 'OPTIONS,TRACE,GET,HEAD,POST', 'strict-transport-security': 'max-age=31536000; includeSubDomains', 'x-content-type-options': 'nosniff', 'x-xss-protection': '1; mode=block', allow: 'OPTIONS, TRACE, GET, HEAD, POST', date: 'Wed, 10 Aug 2022 06:55:30 GMT', 'content-length': '1306' }, statusCode: 200 } } +60ms
  cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingResponse determine injection +1ms
  cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingResponse - no injection (not html) +0ms
  cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingResponse injection levels: { isInitial: false, wantsInjection: false, wantsSecurityRemoved: false } +1ms
 cypress-verbose:proxy:http POST https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth... IncomingRequest proxying request { req: { method: 'POST', proxiedUrl: 'https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth2/v2.0/token', headers: { host: 'testappb2c.b2clogin.com', connection: 'keep-alive', 'content-length': '1583', 'sec-ch-ua': '', 'sec-ch-ua-mobile': '?0', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', 'sec-ch-ua-platform': '', 'content-type': 'application/x-www-form-urlencoded;charset=utf-8', accept: '*/*', origin: 'https://test.testapp.fi', 'sec-fetch-site': 'cross-site', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', referer: 'https://test.testapp.fi/', 'accept-encoding': 'gzip, deflate, br', 'accept-language': 'fi' } } } +9ms
  cypress-verbose:proxy:http POST https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth... IncomingRequest existing cookies on request:  +1ms
  cypress-verbose:proxy:http POST https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth... IncomingRequest add cookies to request: x-ms-cpim-sso:testappb2c.onmicrosoft.com_0=ssotoken123; x-ms-cpim-csrf=csrftoken123 +0ms
  cypress-verbose:proxy:http POST https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth... IncomingRequest waiting for prerequest +0ms
  cypress-verbose:proxy:http POST https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth... IncomingRequest Incoming request POST-https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth2/v2.0/token matches known pre-request: { requestId: '26388.242', method: 'POST', url: 'https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth2/v2.0/token', headers: { 'sec-ch-ua': '', Referer: 'https://test.testapp.fi/', 'sec-ch-ua-mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', 'sec-ch-ua-platform': '', 'content-type': 'application/x-www-form-urlencoded;charset=utf-8' }, resourceType: 'fetch', originalResourceType: 'Fetch' } +0ms
  cypress-verbose:proxy:http POST https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth... IncomingResponse received response { req: { method: 'POST', proxiedUrl: 'https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth2/v2.0/token', headers: { host: 'testappb2c.b2clogin.com', connection: 'keep-alive', 'content-length': '1583', 'sec-ch-ua': '', 'sec-ch-ua-mobile': '?0', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', 'sec-ch-ua-platform': '', 'content-type': 'application/x-www-form-urlencoded;charset=utf-8', accept: '*/*', origin: 'https://test.testapp.fi', 'sec-fetch-site': 'cross-site', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', referer: 'https://test.testapp.fi/', 'accept-encoding': 'gzip', 'accept-language': 'fi', cookie: 'x-ms-cpim-sso:testappb2c.onmicrosoft.com_0=ssotoken123; x-ms-cpim-csrf=csrftoken123' } }, incomingRes: { headers: { 'cache-control': 'no-store, must-revalidate, no-cache', 'content-type': 'application/json; charset=utf-8', 'set-cookie': [Array], 'x-ms-gateway-requestid': 'ec48b71e-a2ce-40d5-b5ca-4d77e5d45c7b', 'access-control-allow-origin': 'https://test.testapp.fi', 'access-control-expose-headers': 'Content-Length, Content-Encoding', 'access-control-allow-credentials': 'true', 'access-control-allow-methods': 'POST, OPTIONS', 'x-frame-options': 'DENY', public: 'OPTIONS,TRACE,GET,HEAD,POST', 'strict-transport-security': 'max-age=31536000; includeSubDomains', 'x-content-type-options': 'nosniff', 'x-xss-protection': '1; mode=block', allow: 'OPTIONS, TRACE, GET, HEAD, POST', date: 'Wed, 10 Aug 2022 06:55:30 GMT', 'content-length': '3265' }, statusCode: 200 } } +85ms
  cypress-verbose:proxy:http POST https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth... IncomingResponse determine injection +0ms
  cypress-verbose:proxy:http POST https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth... IncomingResponse - no injection (not html) +0ms
  cypress-verbose:proxy:http POST https://testappb2c.b2clogin.com/testappb2c.onmicrosoft.com/b2c_1_local/oauth... IncomingResponse injection levels: { isInitial: false, wantsInjection: false, wantsSecurityRemoved: false } +0ms 
  cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingRequest proxying request { req: { method: 'GET', proxiedUrl: 'https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion', headers: { host: 'test.testapp.fi', connection: 'keep-alive', 'sec-ch-ua': '', instanceid: 'Bearer null', 'sec-ch-ua-mobile': '?0', authorization: 'Bearer 123456', accept: 'application/json, text/plain, */*', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', TestappLic: 'Bearer null', 'sec-ch-ua-platform': '', 'sec-fetch-site': 'same-origin', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', referer: 'https://test.testapp.fi/', 'accept-encoding': 'gzip, deflate, br', 'accept-language': 'fi', cookie: 'ARRAffinity=1234567; ai_user=qjQiP|2022-08-10T06:55:26.833Z; __cypress.initial=true' } } } +15ms
  cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingRequest existing cookies on request: ARRAffinity=1234567; ai_user=qjQiP|2022-08-10T06:55:26.833Z; __cypress.initial=true +2ms
  cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingRequest add cookies to request: ARRAffinity=1234567 +0ms
  cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingRequest waiting for prerequest +0ms
  cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingRequest Incoming request GET-https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion matches known pre-request: { requestId: '26388.243', method: 'GET', url: 'https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion', headers: { 'sec-ch-ua': '', InstanceId: 'Bearer null', 'sec-ch-ua-mobile': '?0', Authorization: 'Bearer 123456', Accept: 'application/json, text/plain, */*', Referer: 'https://test.testapp.fi/', TestappLic: 'Bearer null', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', 'sec-ch-ua-platform': '' }, resourceType: 'xhr', originalResourceType: 'XHR' } +0ms
  cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingResponse received response { req: { method: 'GET', proxiedUrl: 'https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion', headers: { host: 'test.testapp.fi', connection: 'keep-alive', 'sec-ch-ua': '', instanceid: 'Bearer null', 'sec-ch-ua-mobile': '?0', authorization: 'Bearer 123456', accept: 'application/json, text/plain, */*', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', TestappLic: 'Bearer null', 'sec-ch-ua-platform': '', 'sec-fetch-site': 'same-origin', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', referer: 'https://test.testapp.fi/', 'accept-encoding': 'gzip', 'accept-language': 'fi', cookie: 'ARRAffinity=1234567; ARRAffinity=1234567; ai_user=qjQiP|2022-08-10T06:55:26.833Z; __cypress.initial=true' } }, incomingRes: { headers: { 'cache-control': 'no-cache,no-store', pragma: 'no-cache', 'content-length': '19', 'content-type': 'application/json; charset=utf-8', expires: '-1', 'request-context': 'appId=cid-v1:1234567', 'x-frame-options': 'SAMEORIGIN', 'x-content-type-options': 'nosniff', 'x-xss-protection': '0', 'referrer-policy': 'strict-origin', 'x-powered-by': 'ARR/3.0', date: 'Wed, 10 Aug 2022 06:55:31 GMT' }, statusCode: 200 } } +21ms
  cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingResponse determine injection +2ms
  cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingResponse - no injection (not html) +0ms
  cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingResponse injection levels: { isInitial: true, wantsInjection: false, wantsSecurityRemoved: false } +0ms

Example logs from just before the test starts to fail, from Cypress 10.4

cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingRequest proxying request { req: { method: 'GET', proxiedUrl: 'https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v2.0/.well-known/openid-configuration', headers: { host: 'testappb2c.b2clogin.com', connection: 'keep-alive', 'sec-ch-ua': '', 'sec-ch-ua-mobile': '?0', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', 'sec-ch-ua-platform': '', accept: '*/*', origin: 'https://test.testapp.fi', 'sec-fetch-site': 'cross-site', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', referer: 'https://test.testapp.fi/', 'accept-encoding': 'gzip, deflate, br', 'accept-language': 'fi' } } } +1s
cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingRequest existing cookies on request:  +2ms
cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingRequest add cookies to request: x-ms-cpim-csrf=csrftoken123 +0ms
cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingRequest waiting for prerequest +0ms
cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingResponse received response { req: { method: 'GET', proxiedUrl: 'https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v2.0/.well-known/openid-configuration', headers: { host: 'testappb2c.b2clogin.com', connection: 'keep-alive', 'sec-ch-ua': '', 'sec-ch-ua-mobile': '?0', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', 'sec-ch-ua-platform': '', accept: '*/*', origin: 'https://test.testapp.fi', 'sec-fetch-site': 'cross-site', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', referer: 'https://test.testapp.fi/', 'accept-encoding': 'gzip', 'accept-language': 'fi', cookie: 'x-ms-cpim-csrf=csrftoken123' } }, incomingRes: { headers: { 'cache-control': 'no-store, must-revalidate, no-cache', 'content-type': 'application/json; charset=utf-8', 'set-cookie': [Array], 'x-ms-gateway-requestid': '9999', 'access-control-allow-origin': 'https://test.testapp.fi', 'access-control-allow-methods': 'GET, OPTIONS', 'x-frame-options': 'SAMEORIGIN', public: 'OPTIONS,TRACE,GET,HEAD,POST', 'strict-transport-security': 'max-age=31536000; includeSubDomains', 'x-content-type-options': 'nosniff', 'x-xss-protection': '1; mode=block', allow: 'OPTIONS, TRACE, GET, HEAD, POST', date: 'Wed, 10 Aug 2022 06:53:45 GMT', 'content-length': '1306' }, statusCode: 200 } } +83ms
cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingResponse determine injection +1ms
cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingResponse - no injection (not html) +0ms
cypress-verbose:proxy:http GET https://testappb2c.b2clogin.com/tfp/testappb2c.onmicrosoft.com/b2c_1_local/v... IncomingResponse injection levels: { isInitial: false, wantsInjection: false, wantsSecurityRemoved: false } +0ms
cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingRequest proxying request { req: { method: 'GET', proxiedUrl: 'https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion', headers: { host: 'test.testapp.fi', connection: 'keep-alive', 'sec-ch-ua': '', accept: 'application/json, text/plain, */*', 'sec-ch-ua-mobile': '?0', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', 'sec-ch-ua-platform': '', 'sec-fetch-site': 'same-origin', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', referer: 'https://test.testapp.fi/', 'accept-encoding': 'gzip, deflate, br', 'accept-language': 'fi', cookie: 'ARRAffinity=1234567; ai_user=odTyG|2022-08-10T06:53:41.479Z; __cypress.initial=true' } } } +15ms
cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingRequest existing cookies on request: ARRAffinity=1234567; ai_user=odTyG|2022-08-10T06:53:41.479Z; __cypress.initial=true +1ms
cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingRequest add cookies to request: ARRAffinity=1234567 +0ms
cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingRequest waiting for prerequest +0ms
cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingRequest Incoming request GET-https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion matches known pre-request: { requestId: '33456.242', method: 'GET', url: 'https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion', headers: { 'sec-ch-ua': '', Accept: 'application/json, text/plain, */*', Referer: 'https://test.testapp.fi/', 'sec-ch-ua-mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', 'sec-ch-ua-platform': '' }, resourceType: 'xhr', originalResourceType: 'XHR' } +0ms
cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingResponse received response { req: { method: 'GET', proxiedUrl: 'https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion', headers: { host: 'test.testapp.fi', connection: 'keep-alive', 'sec-ch-ua': '', accept: 'application/json, text/plain, */*', 'sec-ch-ua-mobile': '?0', 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/104.0.5112.79 Safari/537.36', 'sec-ch-ua-platform': '', 'sec-fetch-site': 'same-origin', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', referer: 'https://test.testapp.fi/', 'accept-encoding': 'gzip', 'accept-language': 'fi', cookie: 'ARRAffinity=1234567; ARRAffinity=1234567; ai_user=odTyG|2022-08-10T06:53:41.479Z; __cypress.initial=true' } }, incomingRes: { headers: { 'cache-control': 'no-cache,no-store', pragma: 'no-cache', 'content-length': '19', 'content-type': 'application/json; charset=utf-8', expires: '-1', 'request-context': 'appId=cid-v1:1234567', 'x-frame-options': 'SAMEORIGIN', 'x-content-type-options': 'nosniff', 'x-xss-protection': '0', 'referrer-policy': 'strict-origin', 'x-powered-by': 'ARR/3.0', date: 'Wed, 10 Aug 2022 06:53:45 GMT' }, statusCode: 200 } } +19ms
cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingResponse determine injection +0ms
cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingResponse - no injection (not html) +0ms
cypress-verbose:proxy:http GET https://test.testapp.fi/Application/-/-/-/api/Enviroment/GetProgramVersion IncomingResponse injection levels: { isInitial: true, wantsInjection: false, wantsSecurityRemoved: false } +0ms

I'll try to get a full log, but there is just so much data in the log and the amount of cleaning without losing data integrity is surprisingly high :)

[AtofStryker]

@Wilhop this is incredibly useful. I think we have enough here to get an idea what is happening. In addition, what I can try to do is try to reproduce this with an azure B2C app and see if I can reproduce the missing cookie.

[Wilhop]

Not sure if this has something to do with this issue, but while trying to debug our problem I noticed I couldn't log any of the "x-ms-*" cookies. cy.getCookie() finds other cookies, but it didn't find the cookies that had "myappb2c.b2clogin.com" Domain-value.

Cookies
https://myapp.app.fi
-> and cookie domain is myappb2c.b2clogin.com

[AtofStryker]

@Wilhop any idea if those are http only cookies? Cypress does a few things to manage cross origin cookies on the server, which are applied to requests but eventually synced with the browser. My guess is a) they're httponly cookies b) haven't been synced yet or c) its a part of the cookie bug we are seeing here.

[rlam3]

@emilyrohrbough is this PR: #23503 the fix for this issue?

[emilyrohrbough]

@rlam3 That PR is not the fix for this issue. Sorry! 😢

[AtofStryker]

@Wilhop We released some cookie changes today with 10.8.0. Are there any improvements with your issue? My guess is the getCookie issues might still persist, but hopefully correct cookies are now being sent from the proxy server.

[Wilhop]

@AtofStryker I can happily confirm that after updating 10.8.0 the login is now working and cookies/storages are preserved.

Was the fix this item on the release notes?
"Fixed an regression introduced in Cypress 10.3.0, and further exposed in 10.4.0, that omitted same-site cookies when the URL Scheme, Domain, and Top Level Domain matched, but the ports are different (i.e. same-site). Fixes #23132."

I believe the issue can be closed, hopefully not introduced again :)

[AtofStryker]

@AtofStryker I can happily confirm that after updating 10.8.0 the login is now working and cookies/storages are preserved.

That's great!

Was the fix this item on the release notes? "Fixed an regression introduced in Cypress 10.3.0, and further exposed in 10.4.0, that omitted same-site cookies when the URL Scheme, Domain, and Top Level Domain matched, but the ports are different (i.e. same-site). Fixes #23132."

That is the fix I believe should have solved this issue, and it looks like it does! We have further cookie improvements coming in future releases, but right now this fix gets us over the hump.

I believe the issue can be closed, hopefully not introduced again :)

Awesome. I am going to close this out but if you run into any other issues just let us know!