Cypress silently drops secure cookies from requests (Chromium), fails to set secure cookie at all (Firefox) #18690
Comments
|
I am also observing this issue and it significantly impedes our ability to implement and run Cypress tests for our application when it's running locally. Any update on resolving this problem would be greatly appreciated, or if anyone knows of a workaround we can implement in the meantime, that would be great! |
|
Not really a work around, but had a similar problem today. Found another issue that mentioned how downgrading to Seems like a regression? |
|
Workaround: Instead of using cy.visit(), get the window object and manually set location.href. e.g. cy.window().then((win) => win.location.href=yourURL); |
* fix(db/setup.pgsql): use less intrusive deletions * test(fixtures): add `pg_dump` sql seed * wip(tests/index): add placeholder for cookie tests Blocked by cypress-io/cypress#18690 and cypress-io/cypress#19316 * test(fixtures/db.sql): update for new constraints * fix(db/setup): add unique constraints to dedupe `scores` Fixes TS-66 * chore(scripts/data): import latest influencer scores Fixes TS-66 * feat(app): add `data-cy` testing labels * test($cluster.spec): use new filters and sorting * ci(test): setup docker services tests * deps: add `@percy/cli` package * ci(workflows): remove unused env vars * test(cypress.json): add retries during ci * test($cluster): add nprogress hidden assertions * test($cluster): move `loading(false)` outside `within`
|
We're seeing the same problem. It happens when we intercept a call and modify the body -- the subsequent call won't have the cookie. |
|
I'm also seeing the same problem. Running Cypress locally is fine, but when running in docker it breaks. I created a simple repository to reproduce the problem: |
|
This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided. |
|
This issue has been closed due to inactivity. |
|
This is still an issue in Cypress 13.6.0 FWIW, here's the workaround helper we run as the last step of our login command: (Update 2024-03-24: We found a more effective workaround here.) /**
* Workaround for https://github.com/cypress-io/cypress/issues/18690
*/
function makeCookiesInsecure() {
cy.getCookies().then((cookies) => {
const cookie = cookies.find(({ secure }) => !!secure);
if (!cookie) return;
cy.clearCookie(cookie.name).setCookie(cookie.name, cookie.value, {
...cookie,
secure: false,
sameSite: undefined,
});
cy.reload();
makeCookiesInsecure();
});
} |
|
Reopening |
|
I'm seeing the same problem with firefox v121 and cypress v12.17.4 or v13.6.3 In Chrome v120 it works for me |
|
This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided. |
|
We still see the issue with |
Current behavior
Cypress misbehaves when managing secure cookies on localhost.
Chromium
Cypress visits some path (e.g.,
/set-cookie) that sets asecurecookie. Then, Cypress visits another path (/) that reads the cookie value. On that second request, Cypress doesn't send the cookie. Chromium indicates the cookie is sent, but the web server doesn't receive it, and a MitM proxy shows the cookie is not in the request. If the cookie is not marked assecure, everything behaves correctly.The attached reproduction repo provides the details about this test.
Cookie in devtools:
Request that pretends to send the cookie:
Intercepted request:
For comparison, here's the intercepted request when using an insecure cookie:
Firefox
In Firefox, the secure cookie is never set in the first place.
Devtools prints:
Cookie “mySecureCookie” has been rejected because a non-HTTPS cookie can’t be set as “secure”.(Related: #16611)Desired behavior
localhost is considered a secure browsing context, and the repro app works correctly outside of Cypress. Setting and transmitting a secure cookie on localhost should be successful. Failing that, Chromium should not lie about whether the cookie is being sent.
Test code to reproduce
Here's an app I put together that minimally reproduces the issue, with failing Cypress tests.
npm install,npm startto launch the web server,npm testto show the Cypress tests demonstrating the failure.Cypress Version
8.7.0
Other
If I open a normal Chromium or Firefox instance, everything works correctly. This only happens under Cypress' automation.
Chromium version: 94.0.4606.81 (openSUSE Build) stable (64-bit)
Firefox version: 93.0 (64-bit)
The text was updated successfully, but these errors were encountered: