Cypress: Cypress incorrectly validates domain of cookies in 3.5.0

Created on 11 Nov 2019  路  8Comments  路  Source: cypress-io/cypress

Current behavior:

Cookies are failing to set for subdomains during cy.request.
E.g. we call /auth of auth.test.server and it returns token cookie with .test.server. In this case cookie is not set.

Desired behavior:

Cookie is set in above example.

Steps to reproduce: (app code and test code)

Look at packages/server/lib/request.coffee#setCookiesOnBrowser:

return if not tough.domainMatch(cookie.domain, parsedUrl.hostname)

And at tough-cookie documentation:

domainMatch(str,domStr[,canonicalize=true])
Answers "does this real domain match the domain in a cookie?". The str is the "current" domain-name and the domStr is the "cookie" domain-name. Matches according to RFC6265 Section 5.1.3, but it helps to think of it as a "suffix match".

So it should be:

return if not tough.domainMatch(parsedUrl.hostname, cookie.domain)

Versions

>=3.5.0

topic regression v3.5.0
Source
picture ghost

Most helpful comment

+1, as discussed here, we have exactly the same issue which is stopping us for upgrading from 3.4.1

picture tozes on 25 Nov 2019
👍2

All 8 comments

+1, as discussed here, we have exactly the same issue which is stopping us for upgrading from 3.4.1

tozes picture tozes on 25 Nov 2019
👍2

@tozes your link was broken
https://github.com/cypress-io/cypress/issues/5688#issuecomment-558212709

fernandopasik picture fernandopasik on 25 Nov 2019
1

The code for this is done in cypress-io/cypress#5657, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

cypress-bot[bot] picture cypress-bot[bot] on 26 Nov 2019

Released in 3.7.0.

cypress-bot[bot] picture cypress-bot[bot] on 28 Nov 2019

@jennifer-shehane , @flotwig , @brian-mann,

Shame on my guys, I've missed another incorrect usage of domainMatch in cypress here: https://github.com/cypress-io/cypress/blob/develop/packages/server/lib/browsers/cdp_automation.ts#L24

Which basically means that this issue is only partially resolved in #5657. Unfortunately looks like we have incorrect tests for that code as well: https://github.com/cypress-io/cypress/pull/5816.

I'm not sure if I will be able to pick this up soon enough. Could please one of you reopen this one and do the fix?

@tozes FYI

ghost picture ghost on 28 Nov 2019

@donotello That's my bad, I noticed that the tests passed without that patch so I left it out. I forgot to go back and double-check it against tough-cookie's documentation, but I believe you're correct. I'll open a PR.

flotwig picture flotwig on 3 Dec 2019

The code for this is done in cypress-io/cypress#5862, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

cypress-bot[bot] picture cypress-bot[bot] on 6 Dec 2019

Released in 3.8.0.

cypress-bot[bot] picture cypress-bot[bot] on 13 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

verheyenkoen picture verheyenkoen  路  3Comments
brian-mann picture brian-mann  路  3Comments
brian-mann picture brian-mann  路  3Comments
EirikBirkeland picture EirikBirkeland  路  3Comments
weskor picture weskor  路  3Comments