Move XmlHttpRequest and Fetch patches to cross-origin injection code

[AtofStryker]

What would you like?

In preparation for experimentalSessionAndOrigin to go GA, we likely need to move the XmlHttpRequest and Fetch injections into the injection/cross-origin.js file. Since Cypress may or may not be instantiated yet, we might be able to leverage postMessage to send credentialStatus and resourceType to the primary, and the primary sends the information to the web socket.

Currently the Cypress.backend request happens before the request is actually send to the server, which usually almost always means that the credentials are stored in the map by the time the proxy tries to access them. If using postMessage, this might no longer be the case, and the proxy may need to listen for an event or poll until it finds the credentials it needs without slowing down the proxy server

Why is this needed?

Given the following example:

it('does a cross-origin navigation', () => {
  cy.visit('https://localhost:8080/index.html')

  cy.visit('https://www.foobar.com/index.html')
  /**
   * After visit, The AUT calls:
   *
   * fetch('www.boobaz.com/test-request', { credentials: 'include' })
   *
   * Since there is no cy.origin block active, or maybe the patch happens after the request,
   * we are unable to infer the credentials in the proxy, which essentially leads to
   * the ability of the request for www.boobaz.com/test-request does not attach cookies nor
   * has the ability to set them. This might be a problem for those who attach a cy.origin lazily after visit,
   * or are using cy.visit with chromeWebSecurity: false without cy.origin blocks.
   */
})

Other

No response

[AtofStryker]

Added from the joint #23872 review:

currently without a cy.origin block, we can't actually figure out what credentials were applied, and also leaves errors for when the cy.origin block is attached. One possible solution is to send the url and credential status of postMessage to the primary, and send this up to the backend. If we can figure out a graceful way to handle the possible race condition of which gets there first, a) the request or b) the credentials, this could be a good way forward. This shouldn't block release immediately, but needs to be figured out before going GA

[cypress-bot]

The code for this is done in cypress-io/cypress#24243, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

[cypress-bot]

Released in 10.11.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v10.11.0, please open a new issue.