cypress icon indicating copy to clipboard operation
cypress copied to clipboard

Cypress 12.15 broke the ability to run Web Workers in cypress tests

Open crfrolik opened this issue 1 year ago • 3 comments

Current behavior

Running a web worker in a cypress test after v12.15 results in an error

spec.cy.js:36 Refused to create a worker from 'blob:http://localhost:3000/164681fb-cb4d-414b-8d35-2821c8805feb' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

Running a web worker in a cypress test in v12.14 or earlier does not have this problem.

Desired behavior

Cypress should not generate a CSP error when a web worker is used from within the test (note that this does not happen when a webworker is used in the application-under-test, i.e., inside the iframe).

If it was the Cypress team's intention to break this use case, it should have been done in a major release, not a minor release

Test code to reproduce

https://github.com/crfrolik/CypressWebWorkerTest

Instructions to reproduce are provided in the README.

Cypress Version

12.17.1

Node version

16.20.0

Operating System

Ubuntu 20.04

Debug Logs

The error that is encountered is:

     TypeError: Cannot set property message of [object DOMException] which has only a getter

Because this error occurred during a `before each` hook we are skipping the remaining tests in the current suite: `websocket in webworker`
      at modifyErrMsg (http://localhost:3000/__cypress/runner/cypress_runner.js:164400:15)
      at Object.appendErrMsg (http://localhost:3000/__cypress/runner/cypress_runner.js:164405:10)
      at Runner.<anonymous> (http://localhost:3000/__cypress/runner/cypress_runner.js:167607:76)
      at Runner.emit (http://localhost:3000/__cypress/runner/cypress_runner.js:28203:7)
      at ../driver/node_modules/mocha/lib/runner.js.Runner.fail (http://localhost:3000/__cypress/runner/cypress_runner.js:114863:8)
      at Runner.fail (http://localhost:3000/__cypress/runner/cypress_runner.js:166072:25)
      at ../driver/node_modules/mocha/lib/runner.js.Runner.failHook (http://localhost:3000/__cypress/runner/cypress_runner.js:114901:8)
      at Hook.<anonymous> (http://localhost:3000/__cypress/runner/cypress_runner.js:114975:14)
      at next (http://localhost:3000/__cypress/runner/cypress_runner.js:167997:24)
      at http://localhost:3000/__cypress/runner/cypress_runner.js:168024:13
      at tryCatcher (http://localhost:3000/__cypress/runner/cypress_runner.js:18744:23)
      at Promise._settlePromiseFromHandler (http://localhost:3000/__cypress/runner/cypress_runner.js:16679:31)
      at Promise._settlePromise (http://localhost:3000/__cypress/runner/cypress_runner.js:16736:18)
      at Promise._settlePromise0 (http://localhost:3000/__cypress/runner/cypress_runner.js:16781:10)
      at Promise._settlePromises (http://localhost:3000/__cypress/runner/cypress_runner.js:16861:18)
      at Promise._fulfill (http://localhost:3000/__cypress/runner/cypress_runner.js:16805:18)
      at Promise._resolveCallback (http://localhost:3000/__cypress/runner/cypress_runner.js:16599:57)
      at Promise._settlePromiseFromHandler (http://localhost:3000/__cypress/runner/cypress_runner.js:16691:17)
      at Promise._settlePromise (http://localhost:3000/__cypress/runner/cypress_runner.js:16736:18)
      at Promise._settlePromise0 (http://localhost:3000/__cypress/runner/cypress_runner.js:16781:10)
      at Promise._settlePromises (http://localhost:3000/__cypress/runner/cypress_runner.js:16861:18)
      at Promise._fulfill (http://localhost:3000/__cypress/runner/cypress_runner.js:16805:18)

However, the error that appears in the browser's console log may be more relevant:

spec.cy.js:36 Refused to create a worker from 'blob:http://localhost:3000/164681fb-cb4d-414b-8d35-2821c8805feb' because it violates the following Content Security Policy directie: "script-src 'unsafe-eval'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.)

Other

Our assumption is that the changes made related to https://github.com/cypress-io/cypress/issues/1030 are what caused this.

Note that we have tried using the experimentalCspAllowList option and that has not addressed the issue, e.g.:

  "experimentalCspAllowList": ['script-src-elem', 'script-src', 'default-src', 'form-action', 'child-src', 'frame-src']

crfrolik avatar Jul 13 '23 18:07 crfrolik

Hi, we definitely did not intend to break anything. Thanks for the minimal reproduction, this is really helpful. Let me take a look and isolate the commit that introduced this, and see what we can do.

lmiller1990 avatar Jul 14 '23 00:07 lmiller1990

The reproduction works as expected. I might tag @chrisbreiding, who has deep expertise in this area of the code base.

lmiller1990 avatar Jul 14 '23 01:07 lmiller1990

Thanks for working on this issue @lmiller1990, @chrisbreiding . I can provide some clues for your reference.

I think the following changes introduced the breaking change. https://github.com/cypress-io/cypress/blob/1fcdc878b601d1eee870e30ee012993443d61742/packages/driver/src/util/privileged_channel.ts#L4-L15

It seems the changes are part of privileged commands feature that I'm not familiar with. It sets some CSP headers that disallow web worker from running in my scenario.

zhongsp avatar Jul 14 '23 12:07 zhongsp

Thanks for the prompt fix! Any word on when this will be available in a release?

c32hedge avatar Jul 19 '23 14:07 c32hedge

@c32hedge There should be a new release out this week, possibly today, that has the fix

chrisbreiding avatar Jul 19 '23 14:07 chrisbreiding

Released in 12.17.2.

This comment thread has been locked. If you are still experiencing this issue after upgrading to Cypress v12.17.2, please open a new issue.

cypress-bot[bot] avatar Jul 20 '23 18:07 cypress-bot[bot]