-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add experimentalModifyObstructiveThirdPartyCode flag for regex rewriter #22568
Conversation
…ritter integrity implementation against
… can't without lookback).update stripped integrity tag to make jquery happy
… order, legitimacy, and include link tags
…o regex-rewriter to allow users to opt in to additional modify obstructiver code and SRI stripping
Thanks for taking the time to open a PR!
|
…expanded-modify-obstructive-code
Test summaryRun details
View run in Cypress Dashboard ➡️ This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard |
|| resContentTypeIsJavaScript(this.incomingRes) | ||
) | ||
this.res.wantsSecurityRemoved = this.config.modifyObstructiveCode && | ||
(this.res.wantsInjection === 'full' || this.res.wantsInjection === 'fullCrossOrigin' || (resContentTypeIsJavaScript(this.incomingRes) && this.config.experimentalExpandedModifyObstructiveCode)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Modify the content if 1st party html full injection, or html that is being injected for cy.origin
. Currently, we don't have a good mechanism for modifying general 3rd party javascript and has been a considered a bug in the past #8983, so for now we will make sure the experimentalExpandedModifyObstructiveCode
is enabled before doing so. This is subject to change, and we might even be able to determine if we can modify the code based on the initiator/requestor in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am also wondering if we want to do the same thing for html with this flag. Right now we run into weird edge casesd where HTML is returned from a redirect after the cy.origin block has exited, which turns the rewriting off for that html and framebusts, which is going to make it difficult for users to test
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added more aggressive behavior in 5597dfa to remove security for all html/javascript resources, regardless of context, if the flag is enabled. This should prevent the weird gap use case where remote state changes at the end of a cy.origin
block and html is still being fed to page from that origin, even though we have left that context and the rewriter no longer attempts to rewrite that html.
packages/rewriter/lib/html-rules.ts
Outdated
@@ -29,7 +29,7 @@ export function install (url: string, rewriter: RewritingStream, deferSourceMapR | |||
const sriAttr = find(startTag.attrs, { name: 'integrity' }) | |||
|
|||
if (sriAttr) { | |||
sriAttr.name = 'cypress:stripped-integrity' | |||
sriAttr.name = 'cypress-stripped-integrity' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this is used by the AST rewriter. For some reason, jQuery has a fit when an html attribute contains a :
when doing a generic selector (guessing a collision on stand html attribute characters?) I am wondering if we want to standardize this attribute and go with data-cypress-stripped-integrity
@@ -5,21 +5,44 @@ const invalidTargets = new Set(['_parent', '_top']) | |||
export type GuardedEvent = Event & {target: HTMLFormElement | HTMLAnchorElement} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There aren't really any changes to this file. I just created the handleInvalidTarget
function and updated the handleInvalidEventTarget
and handleInvalidAnchorTarget
functions to call it.
@@ -15,7 +13,7 @@ | |||
// - On an interval, get the browser's cookies for the given domain, so that | |||
// updates to the cookie jar (via http requests, cy.setCookie, etc) are | |||
// reflected in the document.cookie value. | |||
export const patchDocumentCookie = (Cypress) => { | |||
export const patchDocumentCookie = (Cypress, window) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these patches are pretty straight forward and a good way to keep the injected code small 👍
Waiting anxiously for this feature to be released. Any timeline on when would this be released? |
@frnc07, this change should go in our next release which is scheduled for next week. |
I can't see it on the 10.4 changelog. Do you have a release date for this feature please? |
@ChrystelCy It's listed as the 3rd bullet under the features section: https://docs.cypress.io/guides/references/changelog#10-4-0 |
Thanks, I was looking for "22568" ... |
@ChrystelCy no worries at all. Generally we link to the issue(s) associated to a change in the changelog unless there was not an original issue to link to. |
cy.origin
integration tests for Azure Active Directory #21476with the completion of #22479
User facing changelog
Introduces a new experimental flag, called
experimentalModifyObstructiveThirdPartyCode
. When enabled,experimentalModifyObstructiveThirdPartyCode
will turn on additional modifyObstructiveCode options to prevent frame busting, as well as strips integrity tags out of<link>
and<script>
elements. In the current state of this experimental flag, SRI is not supported.Additional details
As a team, we felt it be best that changes to the
regex-rewriter
formodifyObstructiveCode
be wrapped in its own experimental flag to reduce the potential impact of the rewriter modify code that breaks users who are not leveragingcy.origin
or wish to preserve SRI within their application. The impact of this flag will change as we continue to modify theregex-rewritter
to handle different websites/authentication platforms. Additionally, the team plans to support server-side integrity matching to verify<link>
and<script>
elements that have had their integrity stripped be revalidated on the server through hash comparison.e.top === e.self
formElement.submit()
correctly handles unsupported targetsSteps to test
regex-rewriter
have been added to help guarantee the expected rewriting behavior for newly added modifications to the strip/stripStream function, as well as adding theintegrity.cy.ts
test inside theorigin
folder. For this test suite to run correctly, both theexperimentalSessionAndOrigin
andexperimentalExpandedModifyObstructiveCode
MUST be set to true. This has been modified in the package.json to pass in CI.How has the user experience changed?
Users should now be able to log into Microsoft Online SSO and Login Live SSO (not pictured) via Cypress
PR Tasks
cypress-documentation
?type definitions
?