Cypress: Cypress cannot test sites that implement SRI

Created on 24 Aug 2018  路  15Comments  路  Source: cypress-io/cypress

Current behavior:

When running Cypress against a site that implements SRI hashes, resources on the page are immediately blocked by Chrome and the page will not load due to invalid hashes. Disabling chromeWebSecurity does nothing. The following error appears in the Chrome DevTools console.

Failed to find a valid digest in the 'integrity' attribute for resource 'https://{my-domain}/assets/vendor-cdn-c9965fdc08cb8e112642197db5d0fc54.js' with computed SHA-256 integrity '2/Ht5YqBxaylA4fn2318LzUh4tFwjZH4WlN0lsHme9M='. The resource has been blocked.

Desired behavior:

The page of an SRI enabled site can load and not be blocked by Chrome. Either Cypress dynamically corrects the hash when it tampers with the file, or the chromeWebSecurity option actually disables SRI checks in Chrome.

Steps to reproduce:

  1. Start a Cypress instance and configure to point to a site that implements SRI checking (e.g. https://github.com).
  2. Implement a basic step that verifies anything on the page.
  3. Observe the test fail, the error message in the Chrome DevTools console and resources being unable to load.

Versions

Cypress 3.1.0
Fedora 28
Chrome 68.0.3440.106

bug
Source
picture billyross
👍8

Most helpful comment

This is something that we will fix when #1467 is implemented.

There is a WIP PR for this: #5273

picture flotwig on 18 Nov 2019
5

All 15 comments

Confirmed, we have the same problem.

HugoGiraudel picture HugoGiraudel on 27 Aug 2018
👍2

Is there any word on how this may be addressed or if there is any simple workaround for this?

This prevents us from running any test automation outside our own local machines and prevents us from using Cypress as part of our continuous delivery pipeline.

I'm happy to contribute a solution if a maintainer might point me in the right direction.

billyross picture billyross on 25 Sep 2018

Bug Description

Test code to reproduce issue

it('fails to pass SRI', function () {
  cy.visit('https://github.com')
})

Console error on test above:

screen shot 2018-12-05 at 9 19 22 pm

Implementation Details for Cypress to Investigate

Specification for SRI: https://w3c.github.io/webappsec-subresource-integrity/

When a browser encounters a

Hi there! We are experiencing the same issue as above while testing our website.

Are there plans to fix this issue ? I noticed this was slated for sprint 15 but didn't get finished as part of it.
Also, are there any workarounds at the moment which don't involve changing the application under test?
Thanks!

rahul2906 picture rahul2906 on 24 Oct 2019

Hi, We have the same issue. Is there a plan for when this bug will be fixed in Cypress?

shyammeduri picture shyammeduri on 11 Nov 2019

Same issue here too!

ryan-mulrooney picture ryan-mulrooney on 18 Nov 2019

This is something that we will fix when #1467 is implemented.

There is a WIP PR for this: #5273

flotwig picture flotwig on 18 Nov 2019
5

Hi, we have the same issue.
Is it planned to merge this PR soon ?
Thx

gagagast picture gagagast on 30 Dec 2019

Hello,
Have the same issue. Is there any plan to merge those pull requests soon?
Do you have an ETA?
This is really a big blocker for us.

Thanks for your attention,
Foursource QA lead

castrorogerio picture castrorogerio on 4 Feb 2020

Just added this in #5273. Once released, SRI integrity attributes in script tags <script type="text/javascript"> will be rewritten to cypress:stripped-integrity attributes.

<script type="text/javascript" integrity="foo">

becomes the below which will cause integrity checking to be skipped.

<script type="text/javascript" cypress:stripped-integrity="foo">
flotwig picture flotwig on 9 Apr 2020
👍1

The code for this is done in cypress-io/cypress#5273, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

cypress-bot[bot] picture cypress-bot[bot] on 11 May 2020
🎉1

Released in 4.6.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v4.6.0, please open a new issue.

cypress-bot[bot] picture cypress-bot[bot] on 20 May 2020

This fix is available starting in 4.6.0 as an experiment which you can access by setting this config option in your cypress.json or elsewhere:

{
    "experimentalSourceRewriting": true
}

The fix is experimental, so there may be some situations where the this is not fixed.

If you're still this issue while setting the experimentalSourceRewriting to true in 4.6.0 - open a new issue with a reproducible example + screenshots, etc - filling out our issue template.

flotwig picture flotwig on 20 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tahayk picture tahayk  路  3Comments
zbigniewkalinowski picture zbigniewkalinowski  路  3Comments
weskor picture weskor  路  3Comments
SecondFlight picture SecondFlight  路  3Comments
brian-mann picture brian-mann  路  3Comments