cypress
cypress copied to clipboard
Cypress 12.15 broke the ability to run Web Workers in cypress tests
Current behavior
Running a web worker in a cypress test after v12.15 results in an error
spec.cy.js:36 Refused to create a worker from 'blob:http://localhost:3000/164681fb-cb4d-414b-8d35-2821c8805feb' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.
Running a web worker in a cypress test in v12.14 or earlier does not have this problem.
Desired behavior
Cypress should not generate a CSP error when a web worker is used from within the test (note that this does not happen when a webworker is used in the application-under-test, i.e., inside the iframe).
If it was the Cypress team's intention to break this use case, it should have been done in a major release, not a minor release
Test code to reproduce
https://github.com/crfrolik/CypressWebWorkerTest
Instructions to reproduce are provided in the README.
Cypress Version
12.17.1
Node version
16.20.0
Operating System
Ubuntu 20.04
Debug Logs
The error that is encountered is:
TypeError: Cannot set property message of [object DOMException] which has only a getter
Because this error occurred during a `before each` hook we are skipping the remaining tests in the current suite: `websocket in webworker`
at modifyErrMsg (http://localhost:3000/__cypress/runner/cypress_runner.js:164400:15)
at Object.appendErrMsg (http://localhost:3000/__cypress/runner/cypress_runner.js:164405:10)
at Runner.<anonymous> (http://localhost:3000/__cypress/runner/cypress_runner.js:167607:76)
at Runner.emit (http://localhost:3000/__cypress/runner/cypress_runner.js:28203:7)
at ../driver/node_modules/mocha/lib/runner.js.Runner.fail (http://localhost:3000/__cypress/runner/cypress_runner.js:114863:8)
at Runner.fail (http://localhost:3000/__cypress/runner/cypress_runner.js:166072:25)
at ../driver/node_modules/mocha/lib/runner.js.Runner.failHook (http://localhost:3000/__cypress/runner/cypress_runner.js:114901:8)
at Hook.<anonymous> (http://localhost:3000/__cypress/runner/cypress_runner.js:114975:14)
at next (http://localhost:3000/__cypress/runner/cypress_runner.js:167997:24)
at http://localhost:3000/__cypress/runner/cypress_runner.js:168024:13
at tryCatcher (http://localhost:3000/__cypress/runner/cypress_runner.js:18744:23)
at Promise._settlePromiseFromHandler (http://localhost:3000/__cypress/runner/cypress_runner.js:16679:31)
at Promise._settlePromise (http://localhost:3000/__cypress/runner/cypress_runner.js:16736:18)
at Promise._settlePromise0 (http://localhost:3000/__cypress/runner/cypress_runner.js:16781:10)
at Promise._settlePromises (http://localhost:3000/__cypress/runner/cypress_runner.js:16861:18)
at Promise._fulfill (http://localhost:3000/__cypress/runner/cypress_runner.js:16805:18)
at Promise._resolveCallback (http://localhost:3000/__cypress/runner/cypress_runner.js:16599:57)
at Promise._settlePromiseFromHandler (http://localhost:3000/__cypress/runner/cypress_runner.js:16691:17)
at Promise._settlePromise (http://localhost:3000/__cypress/runner/cypress_runner.js:16736:18)
at Promise._settlePromise0 (http://localhost:3000/__cypress/runner/cypress_runner.js:16781:10)
at Promise._settlePromises (http://localhost:3000/__cypress/runner/cypress_runner.js:16861:18)
at Promise._fulfill (http://localhost:3000/__cypress/runner/cypress_runner.js:16805:18)
However, the error that appears in the browser's console log may be more relevant:
spec.cy.js:36 Refused to create a worker from 'blob:http://localhost:3000/164681fb-cb4d-414b-8d35-2821c8805feb' because it violates the following Content Security Policy directie: "script-src 'unsafe-eval'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.)
Other
Our assumption is that the changes made related to https://github.com/cypress-io/cypress/issues/1030 are what caused this.
Note that we have tried using the experimentalCspAllowList
option and that has not addressed the issue, e.g.:
"experimentalCspAllowList": ['script-src-elem', 'script-src', 'default-src', 'form-action', 'child-src', 'frame-src']
Hi, we definitely did not intend to break anything. Thanks for the minimal reproduction, this is really helpful. Let me take a look and isolate the commit that introduced this, and see what we can do.
The reproduction works as expected. I might tag @chrisbreiding, who has deep expertise in this area of the code base.
Thanks for working on this issue @lmiller1990, @chrisbreiding . I can provide some clues for your reference.
I think the following changes introduced the breaking change. https://github.com/cypress-io/cypress/blob/1fcdc878b601d1eee870e30ee012993443d61742/packages/driver/src/util/privileged_channel.ts#L4-L15
It seems the changes are part of privileged commands
feature that I'm not familiar with. It sets some CSP headers that disallow web worker from running in my scenario.
Thanks for the prompt fix! Any word on when this will be available in a release?
@c32hedge There should be a new release out this week, possibly today, that has the fix
Released in 12.17.2
.
This comment thread has been locked. If you are still experiencing this issue after upgrading to Cypress v12.17.2, please open a new issue.