chore: wire CDP Fetch runtime when proxy is disabled#34276
Conversation
cypress
|
||||||||||||||||||||||||||||
| Project |
cypress
|
| Branch Review |
cacie/34271/cdp-runtime-when-proxy-disabled
|
| Run status |
|
| Run duration | 08m 03s |
| Commit |
|
| Committer | Bill Glesias |
| View all properties for this run ↗︎ | |
| Test results | |
|---|---|
|
|
0
|
|
|
0
|
|
|
3
|
|
|
0
|
|
|
0
|
| View all changes introduced in this branch ↗︎ | |
Warning
No Report: Something went wrong and we could not generate a report for the Application Quality products.
Co-authored-by: Cursor <cursoragent@cursor.com>
Merging develop reintroduced CreateProxyRuntimeDeps on createCdpFetchRuntime, which broke the proxy-disabled call site that only passes client/isAUTFrame. Co-authored-by: Cursor <cursoragent@cursor.com>
Reset clears in-flight state without disabling Fetch, and continueRequest headers always include X-Cypress-Is-AUT-Frame when the request is AUT-frame. Co-authored-by: Cursor <cursoragent@cursor.com>
00ca773 to
72d49a8
Compare
…ions Cfg.clientRoute is optional because RuntimeConfigOptions extends Partial<RuntimeServerConfigOptions>. Reuse InternalRouteConfig for CDP Fetch runtime deps so server-base can pass _openConfig without TS2322. Co-authored-by: Cursor <cursoragent@cursor.com>
703bf54 to
08027c5
Compare
…bled startWebsockets left options.getRenderedHTMLOrigins undefined without a networkProxy, but the driver requests the map in its before-each via reset:cached:test:state, crashing socket-base and skipping all tests. Fall back to an empty map until CDP-based injection tracks origins. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…header The serve-internal-routes loopback request line is path-only, so Express consumers that derive the request origin from req.proxiedUrl (e.g. the spec-bridge iframe controller) saw a path instead of an origin. Send the browser's original absolute URL as the loopback header value and have setProxiedUrl restore it as proxiedUrl for trusted loopbacks. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
… to documents - Swallow rejections when stopping the previous CDP Fetch runtime so a dead page client (spec change, relaunch) cannot fail the next launch - Only inject X-Cypress-Is-AUT-Frame on document requests, matching the other automation layers, and dedupe it on redirect re-pauses so it never leaks to origin servers on AUT subresource traffic - Share the AUT_FRAME_HEADER constant across the CDP/BiDi/WebKit layers - Make CdpFetchTransport.reset() synchronous and document that `hosts` and `blockHosts` are not enforced in proxy-disabled mode Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Want reviews to match your repository better? Bugbot Learning can learn team-specific rules from PR activity. A team admin can enable Learning in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit a880bfb. Configure here.
| headers.push({ | ||
| name: AUT_FRAME_HEADER, | ||
| value: 'true', | ||
| }) |
There was a problem hiding this comment.
AUT header leaks upstream without proxy
Medium Severity
With the MITM proxy disabled, CDP Fetch adds X-Cypress-Is-AUT-Frame on AUT document Fetch.continueRequest calls. That traffic no longer passes through NetworkProxy request middleware, which previously removed the header before upstream requests. External AUT navigations can therefore send this internal Cypress marker to the application origin.
Reviewed by Cursor Bugbot for commit a880bfb. Configure here.
|
I put together a reference commit for something I noticed in review: 1ec7f9b.
The commit signs the header with a per-process random token (same idea as the file-server token) and only honors it when the token matches. Tests updated, plus negative cases for the spoofed header. Might be overkill for an initial pass of an internal flag — fine as a fast-follow too. Sharing so the fix is concrete either way. |
| request: deps.request, | ||
| })) | ||
|
|
||
| networkInterception.use(networkProxy.http.createLegacyProxyPipeline(syntheticCodec)) |
There was a problem hiding this comment.
I see the description calls this out ("Slims createCdpFetchRuntime to a lightweight HttpIntercept + CdpFetchTransport path (no legacy NetworkProxy pipeline)"), but it's unclear to me why we're removing the legacy NetworkProxy pipeline here. #34250 just wired it up as intercept middleware, and dropping it from the CDP runtime means none of the legacy request/response stages run in proxy-disabled mode.
Is this intentional as a starting point we build around (porting the middleware onto HttpIntercept piece by piece), rather than re-mounting the legacy pipeline over the synthetic codec?
If it is, then we likely need to address #34276 (comment) — with the legacy pipeline gone, nothing strips X-Cypress-Is-AUT-Frame, so the header the transport injects is sent along to the origin server when it shouldn't be.


Additional details
Wires the CDP Fetch network runtime when the MITM proxy is disabled (
CYPRESS_INTERNAL_DISABLE_PROXY), so AUT request/response traffic is surfaced through CDP Fetch instead of the Node proxy.ServerBase.createCdpFetchNetworkRuntimeand hooks it from Chrome/Electron viaonPageCriClientReadywhen the proxy is disabledcreateCdpFetchRuntimeto a lightweight HttpIntercept + CdpFetchTransport path (no legacy NetworkProxy pipeline)isAUTFrameinto the CDP Fetch transport for AUT-frame correlationDepends on the CDP Fetch transport from #34222.
Steps to test
CYPRESS_INTERNAL_DISABLE_PROXY=1) against a Chromium browser.How has the user experience changed?
No change for default (proxy-enabled) runs. Enables the proxy-disabled CDP Fetch path for the HTTP/2 interception migration.
PR Tasks
cypress-documentation?type definitions?Made with Cursor