feat: add experimentalModifyObstructiveThirdPartyCode flag for regex rewriter (#22568)

Author: AtofStryker

cli/types/cypress.d.ts

@@ -2849,6 +2849,15 @@ declare namespace Cypress {
      * @default false
      */
     experimentalSessionAndOrigin: boolean
+    /**
+     * Whether Cypress will search for and replace obstructive code in third party .js or .html files.
+     * NOTE: Setting this flag to true removes Subresource Integrity (SRI).
+     * Please see https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity.
+     * This option has no impact on experimentalSourceRewriting and is only used with the
+     * non-experimental source rewriter.
+     * @see https://on.cypress.io/configuration#experimentalModifyObstructiveThirdPartyCode
+     */
+    experimentalModifyObstructiveThirdPartyCode: boolean
     /**
      * Generate and save commands directly to your test suite by interacting with your app as an end user would.
      * @default false

packages/config/__snapshots__/index.spec.ts.js

@@ -37,6 +37,7 @@ exports['config/src/index .getDefaultValues returns list of public config keys 1
   "experimentalFetchPolyfill": false,
   "experimentalInteractiveRunEvents": false,
   "experimentalSessionAndOrigin": false,
+  "experimentalModifyObstructiveThirdPartyCode": false,
   "experimentalSourceRewriting": false,
   "fileServerFolder": "",
   "fixturesFolder": "cypress/fixtures",
@@ -115,6 +116,7 @@ exports['config/src/index .getDefaultValues returns list of public config keys f
   "experimentalFetchPolyfill": false,
   "experimentalInteractiveRunEvents": false,
   "experimentalSessionAndOrigin": false,
+  "experimentalModifyObstructiveThirdPartyCode": false,
   "experimentalSourceRewriting": false,
   "fileServerFolder": "",
   "fixturesFolder": "cypress/fixtures",
@@ -190,6 +192,7 @@ exports['config/src/index .getPublicConfigKeys returns list of public config key
   "experimentalFetchPolyfill",
   "experimentalInteractiveRunEvents",
   "experimentalSessionAndOrigin",
+  "experimentalModifyObstructiveThirdPartyCode",
   "experimentalSourceRewriting",
   "fileServerFolder",
   "fixturesFolder",

packages/config/src/options.ts

@@ -211,6 +211,13 @@ const resolvedOptions: Array<ResolvedConfigOption> = [
     validation: validate.isBoolean,
     isExperimental: true,
     canUpdateDuringTestTime: false,
+  }, {
+    name: 'experimentalModifyObstructiveThirdPartyCode',
+    defaultValue: false,
+    validation: validate.isBoolean,
+    isExperimental: true,
+    canUpdateDuringTestTime: false,
+    requireRestartOnChange: 'server',
   }, {
     name: 'experimentalSourceRewriting',
     defaultValue: false,

packages/driver/cypress/e2e/e2e/origin/integrity.cy.ts

@@ -0,0 +1,154 @@
+import CryptoJS from 'crypto-js'
+import type { TemplateExecutor } from 'lodash'
+
+// NOTE: in order to run these tests, the following config flags need to be set
+//    experimentalSessionAndOrigin=true
+//    experimentalModifyObstructiveThirdPartyCode=true
+describe('Integrity Preservation', () => {
+  // Add common SRI hashes used when setting script/link integrity.
+  // These are the ones supported by SRI (see https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#using_subresource_integrity)
+  // For our tests, we will use CryptoJS to calculate these hashes as they can regenerate the integrity without us having to do it manually every
+  // single time the file changes. But if needed, this can be generated manually in the console by running simply run:
+  //     cat integrity.js|css | openssl dgst -sha384 -binary | openssl base64 -A
+  // the outputted hash is appended to the algorithm name, all lowercase with a trailing dash. For example:
+  //     sha256-MGkilwijzWAi/LutxKC+CWhsXXc6t1tXTMqY1zakP8c=
+  // See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity on SRI integrity.
+
+  const availableDigests = ['SHA256', 'SHA384', 'SHA512']
+  const integrityJSDigests: {[key: string]: string} = {}
+  const integrityCSSDigests: {[key: string]: string} = {}
+  let templateExecutor: TemplateExecutor
+
+  before(() => {
+    // Before running our tests, we need to build out digests to inject into our HTML ejs template
+    // so we can set the integrity tag appropriately for the digest.
+
+    // This requires building digests for the integrity JS file that the regex-rewriter will rewrite.
+    cy.readFile('cypress/fixtures/integrity.js').then((integrityJS) => {
+      availableDigests.forEach((algo) => {
+        const hash = CryptoJS[algo](integrityJS)
+        const stringifiedBase64 = hash.toString(CryptoJS.enc.Base64)
+
+        integrityJSDigests[algo] = stringifiedBase64
+      })
+    })
+
+    // And building digests for the integrity CSS file that SHOULDN'T be impacted, but important to test against.
+    cy.readFile('cypress/fixtures/integrity.css').then((integrityCSS) => {
+      availableDigests.forEach((algo) => {
+        const hash = CryptoJS[algo](integrityCSS)
+        const stringifiedBase64 = hash.toString(CryptoJS.enc.Base64)
+
+        integrityCSSDigests[algo] = stringifiedBase64
+      })
+    })
+
+    cy.fixture('scripts-with-integrity').then((integrityTemplate) => {
+      templateExecutor = Cypress._.template(integrityTemplate, { variable: 'data' })
+    })
+  })
+
+  describe('<script> tags', () => {
+    availableDigests.forEach((algo) => {
+      it(`preserves integrity with static <script> in HTML with ${algo} integrity.`, () => {
+        cy.then(() => {
+          const compiledTemplate = templateExecutor({
+            staticScriptInjection: true,
+            integrityValue: `${algo.toLowerCase()}-${integrityJSDigests[algo]}`,
+          })
+
+          cy.intercept('http://www.foobar.com:3500/fixtures/scripts-with-integrity.html', compiledTemplate)
+        })
+
+        cy.visit('fixtures/primary-origin.html')
+        cy.get('[data-cy="integrity-link"]').click()
+        cy.origin('http://foobar.com:3500', () => {
+          // The added script, if integrity matches, should execute and
+          // add a <p> element with 'integrity script loaded' as the text
+          cy.get('#integrity', {
+            timeout: 1000,
+          }).should('contain', 'integrity script loaded')
+
+          cy.get('#static-set-integrity-script').should('have.attr', 'cypress-stripped-integrity')
+        })
+      })
+
+      it(`preserves integrity with dynamically added <script> in HTML with ${algo} integrity.`, () => {
+        cy.then(() => {
+          const compiledTemplate = templateExecutor({
+            dynamicScriptInjection: true,
+            integrityValue: `${algo.toLowerCase()}-${integrityJSDigests[algo]}`,
+          })
+
+          cy.intercept('http://www.foobar.com:3500/fixtures/scripts-with-integrity.html', compiledTemplate)
+        })
+
+        cy.visit('fixtures/primary-origin.html')
+        cy.get('[data-cy="integrity-link"]').click()
+        cy.origin('http://foobar.com:3500', () => {
+          // The added script, if integrity matches, should execute and
+          // add a <p> element with 'integrity script loaded' as the text
+          cy.get('#integrity', {
+            timeout: 1000,
+          }).should('contain', 'integrity script loaded')
+
+          cy.get('#dynamic-set-integrity-script').should('have.attr', 'cypress-stripped-integrity')
+        })
+      })
+    })
+  })
+
+  describe('<link> tags', () => {
+    availableDigests.forEach((algo) => {
+      it(`preserves integrity with static <link> in HTML with ${algo} integrity.`, () => {
+        cy.then(() => {
+          const compiledTemplate = templateExecutor({
+            staticLinkInjection: true,
+            integrityValue: `${algo.toLowerCase()}-${integrityCSSDigests[algo]}`,
+          })
+
+          cy.intercept('http://www.foobar.com:3500/fixtures/scripts-with-integrity.html', compiledTemplate)
+        })
+
+        cy.visit('fixtures/primary-origin.html')
+        cy.get('[data-cy="integrity-link"]').click()
+        cy.origin('http://foobar.com:3500', () => {
+          cy.get('[data-cy="integrity-header"]', {
+            timeout: 1000,
+          }).then((integrityHeader) => {
+            // The added link, if integrity matches, should execute and
+            // add a color 'red' to the data-cy="integrity-header" element
+            expect(window.getComputedStyle(integrityHeader[0]).getPropertyValue('color')).to.equal('rgb(255, 0, 0)')
+          })
+
+          cy.get('#static-set-integrity-link').should('have.attr', 'cypress-stripped-integrity')
+        })
+      })
+
+      it(`preserves integrity with dynamically added <link> in HTML with ${algo} integrity.`, () => {
+        cy.then(() => {
+          const compiledTemplate = templateExecutor({
+            dynamicLinkInjection: true,
+            integrityValue: `${algo.toLowerCase()}-${integrityCSSDigests[algo]}`,
+          })
+
+          cy.intercept('http://www.foobar.com:3500/fixtures/scripts-with-integrity.html', compiledTemplate)
+        })
+
+        cy.visit('fixtures/primary-origin.html')
+        cy.get('[data-cy="integrity-link"]').click()
+        cy.origin('http://foobar.com:3500', () => {
+          cy.get('[data-cy="integrity-header"]', {
+            timeout: 1000,
+          }).then((integrityHeader) => {
+            // The added link, if integrity matches, should execute and
+            // add a color 'red' to the data-cy="integrity-header" element
+            expect(window.getComputedStyle(integrityHeader[0]).getPropertyValue('color')).to.equal('rgb(255, 0, 0)')
+          })
+
+          cy.get('#dynamic-set-integrity-link').should('have.attr', 'cypress-stripped-integrity')
+        })
+      })
+    })
+  })
+})

packages/driver/cypress/e2e/e2e/origin/patches.cy.ts

@@ -0,0 +1,55 @@
+describe('src/cross-origin/patches', () => {
+  beforeEach(() => {
+    cy.visit('/fixtures/primary-origin.html')
+    cy.get('a[data-cy="cross-origin-secondary-link"]').click()
+  })
+
+  context('submit', () => {
+    it('correctly submits a form when the target is _top for HTMLFormElement', () => {
+      cy.origin('http://www.foobar.com:3500', () => {
+        cy.get('form').then(($form) => {
+          expect($form.attr('target')).to.equal('_top')
+          $form[0].submit()
+        })
+
+        cy.contains('Some generic content')
+      })
+    })
+  })
+
+  context('setAttribute', () => {
+    it('renames integrity to cypress-stripped-integrity for HTMLScriptElement', () => {
+      cy.origin('http://www.foobar.com:3500', () => {
+        cy.window().then((win: Window) => {
+          const script = win.document.createElement('script')
+
+          script.setAttribute('integrity', 'sha-123')
+          expect(script.getAttribute('integrity')).to.be.null
+          expect(script.getAttribute('cypress-stripped-integrity')).to.equal('sha-123')
+        })
+      })
+    })
+
+    it('renames integrity to cypress-stripped-integrity for HTMLLinkElement', () => {
+      cy.origin('http://www.foobar.com:3500', () => {
+        cy.window().then((win: Window) => {
+          const script = win.document.createElement('link')
+
+          script.setAttribute('integrity', 'sha-123')
+          expect(script.getAttribute('integrity')).to.be.null
+          expect(script.getAttribute('cypress-stripped-integrity')).to.equal('sha-123')
+        })
+      })
+    })
+
+    it('doesn\'t rename integrity for other elements', () => {
+      cy.origin('http://www.foobar.com:3500', () => {
+        cy.get('button[data-cy="alert"]').then(($button) => {
+          $button.attr('integrity', 'sha-123')
+          expect($button.attr('integrity')).to.equal('sha-123')
+          expect($button.attr('cypress-stripped-integrity')).to.be.undefined
+        })
+      })
+    })
+  })
+})

packages/driver/cypress/fixtures/integrity.css

@@ -0,0 +1,3 @@
+[data-cy="integrity-header"] {
+  color: rgb(255, 0, 0);
+}

packages/driver/cypress/fixtures/integrity.js

@@ -0,0 +1,4 @@
+var paragraph = document.createElement('p')
+paragraph.id = 'integrity'
+paragraph.textContent = 'integrity script loaded'
+document.querySelector('body').appendChild(paragraph)

packages/driver/cypress/fixtures/primary-origin.html

@@ -13,6 +13,7 @@
     <li><a data-cy="files-form-link" href="http://www.foobar.com:3500/fixtures/files-form.html">http://www.foobar.com:3500/fixtures/files-form.html</a></li>
     <li><a data-cy="errors-link" href="http://www.foobar.com:3500/fixtures/errors.html">http://www.foobar.com:3500/fixtures/errors.html</a></li>
     <li><a data-cy="screenshots-link" href="http://www.foobar.com:3500/fixtures/screenshots.html">http://www.foobar.com:3500/fixtures/screenshots.html</a></li>
+    <li><a data-cy="integrity-link" href="http://www.foobar.com:3500/fixtures/scripts-with-integrity.html">http://www.foobar.com:3500/fixtures/scripts-with-integrity.html</a></li>
     <li><a data-cy="cookie-login">Login with Social</a></li>
     <li><a data-cy="cookie-login-https">Login with Social (https)</a></li>
     <li><a data-cy="cookie-login-subdomain">Login with Social (subdomain)</a></li>

packages/driver/cypress/fixtures/scripts-with-integrity.html

@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<!-- NOTE: This is an EJS template used by the origin/integrity.cy.ts to test regex rewriting integrity -->
+<!-- using this fixture without compiling and rendering the template will cause errors -->
+<html>
+  <head>
+    <title>DOM Fixture</title>
+  </head>
+  <body>
+    <h1 data-cy="integrity-header">Integrity Scripts</h1>
+  </body>
+  <% if(data && data.staticLinkInjection) { %>
+    <!-- static link injection -->
+    <!-- the actual integrity of the file is: <%=data.integrityValue%> -->
+    <link id="static-set-integrity-link" rel="stylesheet" href="integrity.css" integrity="<%=data.integrityValue%>">
+  <% } %>
+
+  <% if(data && data.staticScriptInjection) { %>
+    <!-- static script injection -->
+    <!-- the actual integrity of the file is: <%=data.integrityValue%> -->
+    <script id="static-set-integrity-script" type="text/javascript" src="integrity.js" data-script-type="static" crossorigin="anonymous" integrity="<%=data.integrityValue%>"></script>
+  <% } %>
+
+  <% if(data && data.dynamicScriptInjection) { %>
+    <!-- dynamic script injection-->
+    <script type="text/javascript">
+      const dynamicIntegrityScript = document.createElement('script')
+      dynamicIntegrityScript.id = 'dynamic-set-integrity-script'
+      dynamicIntegrityScript.type = 'text/javascript'
+      dynamicIntegrityScript.src = 'integrity.js'
+      dynamicIntegrityScript.setAttribute('crossorigin', "anonymous")
+      dynamicIntegrityScript.setAttribute('data-script-type', 'dynamic')
+      // the actual integrity of the file is: <%=data.integrityValue%>
+      dynamicIntegrityScript.setAttribute('integrity', "<%=data.integrityValue%>")
+      
+      document.querySelector('head').appendChild(dynamicIntegrityScript)
+    </script>
+  <% } %>
+
+  <% if(data && data.dynamicLinkInjection) { %>
+    <!-- dynamic link injection -->
+    <script id="dynamic-link-injection" type="text/javascript">
+      const dynamicIntegrityScript = document.createElement('link')
+      dynamicIntegrityScript.id = 'dynamic-set-integrity-link'
+      dynamicIntegrityScript.rel = "stylesheet"
+      dynamicIntegrityScript.href = 'integrity.css'
+      dynamicIntegrityScript.setAttribute('crossorigin', "anonymous")
+      // the actual integrity of the file is: <%=data.integrityValue%>
+      dynamicIntegrityScript.setAttribute('integrity', "<%=data.integrityValue%>")
+      
+      document.querySelector('head').appendChild(dynamicIntegrityScript)
+    </script>
+  <% } %>
+</html>

packages/driver/cypress/fixtures/secondary-origin.html

@@ -7,7 +7,7 @@
   <p data-cy="cypress-check"></p>
   <p data-cy="window-before-load"></p>
   <input data-cy="text-input" type="text"/>
-  <form>
+  <form action="/fixtures/generic.html" method="get" target="_top">
     <button type="submit">Submit</button>
   </form>
   <button data-cy="alert">Alert</button>

packages/driver/package.json

@@ -6,8 +6,8 @@
     "clean-deps": "rimraf node_modules",
     "cypress:open": "node ../../scripts/cypress open",
     "cypress:run": "node ../../scripts/cypress run --spec \"cypress/e2e/*/*\",\"cypress/e2e/*/!(origin|sessions)/**/*\"",
-    "cypress:open-experimentalSessionAndOrigin": "node ../../scripts/cypress open --config experimentalSessionAndOrigin=true",
-    "cypress:run-experimentalSessionAndOrigin": "node ../../scripts/cypress run --config experimentalSessionAndOrigin=true",
+    "cypress:open-experimentalSessionAndOrigin": "node ../../scripts/cypress open --config experimentalSessionAndOrigin=true,experimentalModifyObstructiveThirdPartyCode=true",
+    "cypress:run-experimentalSessionAndOrigin": "node ../../scripts/cypress run --config experimentalSessionAndOrigin=true,experimentalModifyObstructiveThirdPartyCode=true",
     "postinstall": "patch-package",
     "start": "node -e 'console.log(require(`chalk`).red(`\nError:\n\tRunning \\`yarn start\\` is no longer needed for driver/cypress tests.\n\tWe now automatically spawn the server in e2e.setupNodeEvents config.\n\tChanges to the server will be watched and reloaded automatically.`))'"
   },
@@ -20,6 +20,7 @@
     "@cypress/what-is-circular": "1.0.1",
     "@packages/config": "0.0.0-development",
     "@packages/network": "0.0.0-development",
+    "@packages/rewriter": "0.0.0-development",
     "@packages/runner": "0.0.0-development",
     "@packages/runner-shared": "0.0.0-development",
     "@packages/server": "0.0.0-development",
@@ -45,6 +46,7 @@
     "cookie-parser": "1.4.5",
     "core-js-pure": "3.21.0",
     "cors": "2.8.5",
+    "crypto-js": "4.1.1",
     "cypress-multi-reporters": "1.4.0",
     "dayjs": "^1.10.3",
     "debug": "^4.3.2",

packages/driver/src/cross-origin/cypress.ts

@@ -20,6 +20,9 @@ import { handleScreenshots } from './events/screenshots'
 import { handleTestEvents } from './events/test'
 import { handleMiscEvents } from './events/misc'
 import { handleUnsupportedAPIs } from './unsupported_apis'
+import { patchDocumentCookie } from './patches/cookies'
+import { patchFormElementSubmit } from './patches/submit'
+import { patchElementIntegrity } from './patches/setAttribute'
 import $Mocha from '../cypress/mocha'
 import * as cors from '@packages/network/lib/cors'
 
@@ -105,6 +108,13 @@ const onBeforeAppWindowLoad = (Cypress: Cypress.Cypress, cy: $Cy) => (autWindow:
   Cypress.state('window', autWindow)
   Cypress.state('document', autWindow.document)
 
+  if (Cypress && Cypress.config('experimentalModifyObstructiveThirdPartyCode')) {
+    patchFormElementSubmit(autWindow)
+    patchElementIntegrity(autWindow)
+  }
+
+  patchDocumentCookie(Cypress, autWindow)
+
   // This is typically called by the cy function `urlNavigationEvent` but it is private. For the primary origin this is called in 'onBeforeAppWindowLoad'.
   Cypress.action('app:navigation:changed', 'page navigation event (\'before:load\')')