Cypress: chromeWebSecurity setting does not take effect in Electron browser

Created on 25 Aug 2020 · 8Comments · Source: cypress-io/cypress

Current behavior:

I make get request to external url.

 .route(/documents\/9\/embed_url/, {
   url:
     "https://casefleet-cypress-fixtures.s3.amazonaws.com/document-viewer/between/4pages/0.html",
 })

In Cypress 5.0 I've got error that request blocked by CORS policy.

Desired behavior:

In previous Cypress version 4.12.1 it worked without error.

I think it can be result of updating electron from 8.3.1 to 9.0.5

Versions

Cypress 5.0
Electron

electron existing workaround internal-priority bug v5.0.0

Source

alexborovkov

👍8

Most helpful comment

Yes, it seems like there is an open bug in Electron 9.x (which we upgraded to in Cypress 5) with disabling webSecurity: electron/electron#23664

Here is a workaround that should work based on this comment:

Set the ELECTRON_EXTRA_LAUNCH_ARGS environment variable to disable-features=OutOfBlinkCors to forcefully disable chromeWebSecurity in Cypress 5.

For example, in Linux or macOS:

ELECTRON_EXTRA_LAUNCH_ARGS=disable-features=OutOfBlinkCors cypress run ...

flotwig on 27 Aug 2020

👍5 🎉2

All 8 comments

@AleksandrBorovkov Any reason you think this is due to the Electron upgrade specifically? Does this error only happen in Electron? It doesn't happen in Chrome or Firefox?

Unfortunately we'll have to close this issue if there is not enough information to reproduce the problem. This does not mean that your issue is not happening - it just means that we do not have a path to move forward.

Is there any way to provide a reproducible example?

jennifer-shehane on 25 Aug 2020

My issue is similar to https://github.com/cypress-io/cypress/issues/8412
I also have "chromeWebSecurity": false setting. It works correctly in Chrome, but not in Electron

alexborovkov on 26 Aug 2020

Yes, it seems like there is an open bug in Electron 9.x (which we upgraded to in Cypress 5) with disabling webSecurity: electron/electron#23664

Here is a workaround that should work based on this comment:

Set the ELECTRON_EXTRA_LAUNCH_ARGS environment variable to disable-features=OutOfBlinkCors to forcefully disable chromeWebSecurity in Cypress 5.

For example, in Linux or macOS:

ELECTRON_EXTRA_LAUNCH_ARGS=disable-features=OutOfBlinkCors cypress run ...

flotwig on 27 Aug 2020

👍5 🎉2

Yeah we're getting the same issue as of Cypress 5.0 with Headless Electron, which seemingly worked fine before we upgraded.

Here's a log of my browser options:

browser  {
  preferences: {
    width: 1280,
    height: 720,
    show: false,
    automationMiddleware: {},
    projectRoot: omitted 
    browsers: [ [Object], [Object] ],
    proxyUrl: 'http://localhost:50823',
    userAgent: null,
    proxyServer: 'http://localhost:50823',
    socketIoRoute: '/__socket.io',
    chromeWebSecurity: false,
    url: omitted 
    isTextTerminal: true,
    browser: {
      name: 'electron',
      channel: 'stable',
      family: 'chromium',
      displayName: 'Electron',
      version: '83.0.4103.122',
      path: '',
      majorVersion: 83,
      info: 'Electron is the default browser that comes with Cypress. This is the default browser that runs in headless mode. Selecting this browser is useful when debugging. The version number indicates the underlying Chromium version that Electron uses.',
      isHeadless: true,
      isHeaded: false
    },
    x: null,
    y: null,
    devTools: false,
    minWidth: 100,
    minHeight: 100,
    contextMenu: true,
    partition: 'persist:run-25568',
    trackState: {
      width: 'browserWidth',
      height: 'browserHeight',
      x: 'browserX',
      y: 'browserY',
      devTools: 'isBrowserDevToolsOpen'
    },
    frame: true,
    recordFrameRate: null,
    webPreferences: {
      partition: null,
      webSecurity: true,
      nodeIntegration: false,
      backgroundThrottling: false
    }
  },
  extensions: [],
  args: [],
  concat: [Function],
  push: [Function],
  unshift: [Function],
  slice: [Function],
  pop: [Function],
  shift: [Function],
  splice: [Function],
  filter: [Function],
  map: [Function],
  forEach: [Function],
  reduce: [Function],
  reverse: [Function],
  includes: [Function],
  [Symbol(Symbol.iterator)]: [Function: bound values]
}

We're making a request to a service outside of the baseURL and can easily reproduce this issue with Cypress 5.0

Switching to Chrome and adding --browser chrome --headless to the Cypress run script works and we can effectively bypass CORS issues as chromeWebSecurity is set to false. However, we're stuck with Electron for the time being and this issue is somewhat blocking us unless we decide to revert.

I have tried your suggestions @flotwig but it doesn't do the trick, it might just be me not setting it correctly, I have set the env var in my shell, on my machine and even added to the cypress run script yet I can't get the "workaround" to work. Here's the run script:

"cy:x": "cypress run --env ELECTRON_EXTRA_LAUNCH_ARGS=disable-features=OutOfBlinkCors --spec=\"cypress/integration/my-tests.spec.js\"",

Anything else I should try or amend?

AhmedAlsaab on 28 Aug 2020

@AhmedAlsaab it should be an OS environment variable, not a Cypress.env environment variable:

macOS/Linux:

ELECTRON_EXTRA_LAUNCH_ARGS=disable-features=OutOfBlinkCors cypress run --spec=\"cypress/integration/my-tests.spec.js\"

If you're on Windows, you can npm i cross-env and use that to set env vars:

cross-env ELECTRON_EXTRA_LAUNCH_ARGS=disable-features=OutOfBlinkCors cypress run --spec=\"cypress/integration/my-tests.spec.js\"

flotwig on 28 Aug 2020

If you're on Windows, you can npm i cross-env and use that to set env vars:
cross-env ELECTRON_EXTRA_LAUNCH_ARGS=disable-features=OutOfBlinkCors cypress run --spec=\"cypress/integration/my-tests.spec.js\"

Awesome that did the trick and is a feasible workaround for us! Thanks @flotwig

AhmedAlsaab on 28 Aug 2020

The code for this is done in cypress-io/cypress#8406, but has yet to be released.
We'll update this issue and reference the changelog when it's released.