fix(multi-domain): Handle SameSite cookies

[chrisbreiding]

• Closes [Multi-domain]: Test authentication workflow #19849

User facing changelog

N/A

Additional details

For multi-domain authentication workflows, when the secondary domain attempts to set a cookie and the cookie is SameSite=Strict/Lax, the browser won't set it since top is a different origin. This is also the case when navigating back to the primary domain, even though the origin is the same as top, since it's cross-origin and not a top-level navigation.

To resolve this, when a request attempts to set a cookie for a request from the AUT that is cross-origin, we force the cookie to be SameSite=None; Secure, so that it gets set by the browser. Firefox won't set SameSite=None; Secure cookies for http://localhost in an iframe, so we remove the Secure flag in that case.

This is a temporary solution for the experimental release of multi-domain support. In the future, this will be replaced with a more robust solution that provides the necessary cookies to cross-origin requests without changing the SameSite attribute of the cookie when a request attempts to set it.

PR Tasks

• Have tests been added/updated?
• N/A Has the original issue (or this PR, if no issue exists) been tagged with a release in ZenHub? (user-facing changes only)
• N/A Has a PR for user-facing changes been opened in cypress-documentation?
• N/A Have API changes been updated in the type definitions?
• N/A Have new configuration options been added to the cypress.schema.json?

[cypress-bot]

Thanks for taking the time to open a PR!

• Create a Draft Pull Request if your PR is not ready for review. Mark the PR as Ready for Review when you're ready for a Cypress team member to review the PR.
• Become familiar with the Code Review Checklist for guidelines on coding standards and what needs to be done before a PR can be merged.

[cypress]

---

Test summary

5273 • 0 • 71 • 1 • 3

---

Run details

Project	cypress
Status	Passed
Commit	796df1d
Started	Mar 21, 2022 6:25 PM
Ended	Mar 21, 2022 6:40 PM
Duration	14:50 💡
OS	Linux Debian - 10.10
Browser	Electron 94

View run in Cypress Dashboard ➡️

---

Flakiness

	commands/actions/click_spec.js		1
1	... > throws when any member of the subject isnt visible
	settings_spec.js		1
1	Settings > file preference panel > loads preferred editor, available editors and shows spinner
	cy/timers_spec.js		1
1	driver/src/cy/timers > can cancel setIntervals paused or unpaused

---

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard

[flotwig]

This is a temporary solution for the experimental release of multi-domain support. In the future, this will be replaced with a more robust solution that provides the necessary cookies to cross-origin requests without changing the SameSite attribute of the cookie when a request attempts to set it.

@chrisbreiding this is the "don't modify the broken header, just use automation to force it to be set" approach, correct? Is there already a task created for this somewhere?

[flotwig]

nit: kinda feels like all these should be nested describes in a top-level describe('cookie modification specifics')

[chrisbreiding]

Addressed in c0a3ce8

[flotwig]

these 3 lines should go inside of if (cookies), since they are not used outside of that scope

[chrisbreiding]

Addressed in e88519a

[flotwig]

my apologies for all the changes you had to make to this file... in retrospect, this was an unmaintainable way to set up how ctx works. this area needs a refactor, like, yesterday. not related to this PR, just sharing my shame 😄

[flotwig]

what about localhost6? 😛 i'm mostly kidding... but i do think that this area might be error-prone, especially since i don't see any links to RFCs or browser source code showing how they do this heuristic. do you have any references for how browsers decide this?

[chrisbreiding]

Addressed in a2f7bd8

[mschile]

There is similar code in https://github.com/cypress-io/cypress/blob/develop/packages/driver/src/cypress/location.ts#L16 for verifying localhost as well. Seems like it would be pretty simple to update that code to use this.

[flotwig]

that regex you linked actually looks wrong, i don't think 0.0.0.0 resolves to localhost

[chrisbreiding]

I don't know why it's specifically checking for localhost there. Seems like it should just be a general IP address check since it's trying to determine if it's a url it can normalize.

[mschile]

I believe it's addressing this requirement:

Cypress automatically prepends the http:// protocol to common hosts. If you're not using one of these 3 hosts, then make sure to provide the protocol.

cy.visit('localhost:3000') // Visits http://localhost:3000
cy.visit('0.0.0.0:3000') // Visits http://0.0.0.0:3000
cy.visit('127.0.0.1:3000') // Visits http://127.0.0.1:3000

https://docs.cypress.io/api/commands/visit#Protocol

[chrisbreiding]

Ah good find. In that case, it seems like that variable name is a bit misleading, but we probably shouldn't change the behavior since it's documented that way.

[flotwig]

Except for maybe 0.0.0.0... I don't think there's any possible way to load something from the null route

[mschile]

Looks like there are some references to using 0.0.0.0 in the issues: https://github.com/cypress-io/cypress/issues?q=is%3Aissue+0.0.0.0+

[flotwig]

can you type this please, and maybe move sendDebuggerCommandFn, onFn, and automation to this options object? let's keep this signature as clean as possible, it has been ballooning

[chrisbreiding]

Addressed in 4ed06ad

[flotwig]

i'd also like to see some links to defintiive documentation (RFC, source code, authoritative reference...) for this, i believe you, but it's important to clearly track browser errata like this since it changes under our feet all the time...

[chrisbreiding]

I dug a bit deeper into this and the reason there's a difference in Firefox is that it doesn't consider http://localhost to be a secure context when loaded by the Cypress-launched browser, even though it's normally considered a secure context.

Here's an existing issue about it. It has something to do with the way we launch Firefox. I dug into it a little bit, but it needs a bit more research and I decided to time-box the effort since it's out of scope for this work.

The fact is that http://localhost won't allow SameSite=None; Secure cookies to be set even outside of multi-domain. The question then is whether we should have this workaround at all to support it for multi-domain when it doesn't even work in general. I decided to keep the workaround in for the following reasons:

• It's only going in the experimental release and will be removed once better cookie handling is implemented.
• The primary use-case for multi-domain is authentication, so I think it's important to get cookies working consistently between browsers for authentication purposes.
• We may need a similar workaround outside of multi-domain anyway, though I don't want to go that far at this moment. I feel it's best to scope this to the multi-domain work and experimental release instead of doing a general workaround without doing more research into why Firefox doesn't consider the browser a secure context.

I improved the comment here, explaining what I did above in brief and linking to the spec regarding secure contexts.

[chrisbreiding]

@chrisbreiding this is the "don't modify the broken header, just use automation to force it to be set" approach, correct? Is there already a task created for this somewhere?

Yeah, that's right. Here's the issue for it.