feat: add experimentalModifyObstructiveThirdPartyCode flag for regex rewriter

[AtofStryker]

• Closes Write cy.origin integration tests for Azure Active Directory #21476
• Closes Microsoft login removes the Cypress test frame when it redirects, causing tests to fail #21307

with the completion of #22479

User facing changelog

Introduces a new experimental flag, called experimentalModifyObstructiveThirdPartyCode. When enabled, experimentalModifyObstructiveThirdPartyCode will turn on additional modifyObstructiveCode options to prevent frame busting, as well as strips integrity tags out of <link> and <script> elements. In the current state of this experimental flag, SRI is not supported.

Additional details

As a team, we felt it be best that changes to the regex-rewriter for modifyObstructiveCode be wrapped in its own experimental flag to reduce the potential impact of the rewriter modify code that breaks users who are not leveraging cy.origin or wish to preserve SRI within their application. The impact of this flag will change as we continue to modify the regex-rewritter to handle different websites/authentication platforms. Additionally, the team plans to support server-side integrity matching to verify <link> and <script> elements that have had their integrity stripped be revalidated on the server through hash comparison.

• When the experimental flag is enabled:
  • third party html/scripts are run through the rewriter
  • regex rewriter will look for patterns similar to e.top === e.self
  • subresource integrity hashes removed from script and link tags
  • calling formElement.submit() correctly handles unsupported targets

Steps to test

• additional unit tests to the regex-rewriter have been added to help guarantee the expected rewriting behavior for newly added modifications to the strip/stripStream function, as well as adding the integrity.cy.ts test inside the origin folder. For this test suite to run correctly, both the experimentalSessionAndOrigin and experimentalExpandedModifyObstructiveCode MUST be set to true. This has been modified in the package.json to pass in CI.

How has the user experience changed?

Users should now be able to log into Microsoft Online SSO and Login Live SSO (not pictured) via Cypress

PR Tasks

• Have tests been added/updated?
• Has the original issue (or this PR, if no issue exists) been tagged with a release in ZenHub? (user-facing changes only)
• Has a PR for user-facing changes been opened in cypress-documentation?
• Have API changes been updated in the type definitions?

[cypress-bot]

Thanks for taking the time to open a PR!

• Create a Draft Pull Request if your PR is not ready for review. Mark the PR as Ready for Review when you're ready for a Cypress team member to review the PR.
• Become familiar with the Code Review Checklist for guidelines on coding standards and what needs to be done before a PR can be merged.

[cypress]

---

Test summary

4379 • 0 • 49 • 0 • 0

---

Run details

Project	cypress
Status	Passed
Commit	97bb6e0
Started	Jul 22, 2022 5:18 AM
Ended	Jul 22, 2022 5:30 AM
Duration	11:51 💡
OS	Linux Debian - 11.3
Browser	Electron 102

View run in Cypress Dashboard ➡️

---

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard

[AtofStryker]

Modify the content if 1st party html full injection, or html that is being injected for cy.origin. Currently, we don't have a good mechanism for modifying general 3rd party javascript and has been a considered a bug in the past #8983, so for now we will make sure the experimentalExpandedModifyObstructiveCode is enabled before doing so. This is subject to change, and we might even be able to determine if we can modify the code based on the initiator/requestor in the future.

[AtofStryker]

I am also wondering if we want to do the same thing for html with this flag. Right now we run into weird edge casesd where HTML is returned from a redirect after the cy.origin block has exited, which turns the rewriting off for that html and framebusts, which is going to make it difficult for users to test

[AtofStryker]

I added more aggressive behavior in 5597dfa to remove security for all html/javascript resources, regardless of context, if the flag is enabled. This should prevent the weird gap use case where remote state changes at the end of a cy.origin block and html is still being fed to page from that origin, even though we have left that context and the rewriter no longer attempts to rewrite that html.

[AtofStryker]

I believe this is used by the AST rewriter. For some reason, jQuery has a fit when an html attribute contains a : when doing a generic selector (guessing a collision on stand html attribute characters?) I am wondering if we want to standardize this attribute and go with data-cypress-stripped-integrity

[mschile]

There aren't really any changes to this file. I just created the handleInvalidTarget function and updated the handleInvalidEventTarget and handleInvalidAnchorTarget functions to call it.

[mjhenkes]

these patches are pretty straight forward and a good way to keep the injected code small 👍

[frnc07]

Waiting anxiously for this feature to be released. Any timeline on when would this be released?

[mschile]

@frnc07, this change should go in our next release which is scheduled for next week.

[ChrystelCy]

@frnc07, this change should go in our next release which is scheduled for next week.

I can't see it on the 10.4 changelog. Do you have a release date for this feature please?

[emilyrohrbough]

@ChrystelCy It's listed as the 3rd bullet under the features section: https://docs.cypress.io/guides/references/changelog#10-4-0

[ChrystelCy]

@ChrystelCy It's listed as the 3rd bullet under the features section: https://docs.cypress.io/guides/references/changelog#10-4-0

Thanks, I was looking for "22568" ...

[emilyrohrbough]

@ChrystelCy no worries at all. Generally we link to the issue(s) associated to a change in the changelog unless there was not an original issue to link to.