Skip to content

chore: wire CDP Fetch runtime when proxy is disabled#34276

Open
cacieprins wants to merge 8 commits into
developfrom
cacie/34271/cdp-runtime-when-proxy-disabled
Open

chore: wire CDP Fetch runtime when proxy is disabled#34276
cacieprins wants to merge 8 commits into
developfrom
cacie/34271/cdp-runtime-when-proxy-disabled

Conversation

@cacieprins

Copy link
Copy Markdown
Collaborator

Additional details

Wires the CDP Fetch network runtime when the MITM proxy is disabled (CYPRESS_INTERNAL_DISABLE_PROXY), so AUT request/response traffic is surfaced through CDP Fetch instead of the Node proxy.

  • Adds ServerBase.createCdpFetchNetworkRuntime and hooks it from Chrome/Electron via onPageCriClientReady when the proxy is disabled
  • Slims createCdpFetchRuntime to a lightweight HttpIntercept + CdpFetchTransport path (no legacy NetworkProxy pipeline)
  • Skips proxy-detection / non-proxied clientRoute guards when the proxy is disabled, since path-only hits to the Cypress server are expected under CDP Fetch
  • Passes isAUTFrame into the CDP Fetch transport for AUT-frame correlation

Depends on the CDP Fetch transport from #34222.

Steps to test

  1. Run with proxy disabled (CYPRESS_INTERNAL_DISABLE_PROXY=1) against a Chromium browser.
  2. Confirm AUT traffic is paused/continued via CDP Fetch and reaches HttpIntercept.
  3. Confirm Cypress client assets still load (no false "launched outside Cypress" / non-proxied clientRoute failures).
  4. Spot-check that proxy-enabled mode is unchanged.

How has the user experience changed?

No change for default (proxy-enabled) runs. Enables the proxy-disabled CDP Fetch path for the HTTP/2 interception migration.

PR Tasks

  • Is there an associated issue with maintainer approval for PR submission?
  • Have tests been added/updated?
  • [na] Has a PR for user-facing changes been opened in cypress-documentation?
  • [na] Have API changes been updated in the type definitions?

Made with Cursor

Comment thread packages/server/lib/browsers/cdp-protocol/cdp-fetch-transport.ts Outdated
Comment thread packages/server/lib/server-base.ts Outdated
@cypress

cypress Bot commented Jul 10, 2026

Copy link
Copy Markdown

cypress    Run #72376

Run Properties:  status check passed Passed #72376  •  git commit a880bfb9a7: fix: harden CDP Fetch runtime teardown and scope the AUT-frame header to documen...
Project cypress
Branch Review cacie/34271/cdp-runtime-when-proxy-disabled
Run status status check passed Passed #72376
Run duration 08m 03s
Commit git commit a880bfb9a7: fix: harden CDP Fetch runtime teardown and scope the AUT-frame header to documen...
Committer Bill Glesias
View all properties for this run ↗︎

Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 3
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 0
View all changes introduced in this branch ↗︎

Warning

No Report: Something went wrong and we could not generate a report for the Application Quality products.

Comment thread packages/server/lib/server-base.ts
@AtofStryker AtofStryker self-assigned this Jul 14, 2026
cacieprins and others added 4 commits July 14, 2026 10:16
Co-authored-by: Cursor <cursoragent@cursor.com>
Merging develop reintroduced CreateProxyRuntimeDeps on createCdpFetchRuntime, which broke the proxy-disabled call site that only passes client/isAUTFrame.

Co-authored-by: Cursor <cursoragent@cursor.com>
Reset clears in-flight state without disabling Fetch, and continueRequest
headers always include X-Cypress-Is-AUT-Frame when the request is AUT-frame.

Co-authored-by: Cursor <cursoragent@cursor.com>
@AtofStryker AtofStryker force-pushed the cacie/34271/cdp-runtime-when-proxy-disabled branch from 00ca773 to 72d49a8 Compare July 14, 2026 14:36
…ions

Cfg.clientRoute is optional because RuntimeConfigOptions extends
Partial<RuntimeServerConfigOptions>. Reuse InternalRouteConfig for CDP
Fetch runtime deps so server-base can pass _openConfig without TS2322.

Co-authored-by: Cursor <cursoragent@cursor.com>
@AtofStryker AtofStryker force-pushed the cacie/34271/cdp-runtime-when-proxy-disabled branch from 703bf54 to 08027c5 Compare July 14, 2026 15:39
…bled

startWebsockets left options.getRenderedHTMLOrigins undefined without a
networkProxy, but the driver requests the map in its before-each via
reset:cached:test:state, crashing socket-base and skipping all tests.
Fall back to an empty map until CDP-based injection tracks origins.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
AtofStryker and others added 2 commits July 14, 2026 13:26
…header

The serve-internal-routes loopback request line is path-only, so Express
consumers that derive the request origin from req.proxiedUrl (e.g. the
spec-bridge iframe controller) saw a path instead of an origin. Send the
browser's original absolute URL as the loopback header value and have
setProxiedUrl restore it as proxiedUrl for trusted loopbacks.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
… to documents

- Swallow rejections when stopping the previous CDP Fetch runtime so a dead
  page client (spec change, relaunch) cannot fail the next launch
- Only inject X-Cypress-Is-AUT-Frame on document requests, matching the
  other automation layers, and dedupe it on redirect re-pauses so it never
  leaks to origin servers on AUT subresource traffic
- Share the AUT_FRAME_HEADER constant across the CDP/BiDi/WebKit layers
- Make CdpFetchTransport.reset() synchronous and document that `hosts` and
  `blockHosts` are not enforced in proxy-disabled mode

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Want reviews to match your repository better? Bugbot Learning can learn team-specific rules from PR activity. A team admin can enable Learning in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit a880bfb. Configure here.

headers.push({
name: AUT_FRAME_HEADER,
value: 'true',
})

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AUT header leaks upstream without proxy

Medium Severity

With the MITM proxy disabled, CDP Fetch adds X-Cypress-Is-AUT-Frame on AUT document Fetch.continueRequest calls. That traffic no longer passes through NetworkProxy request middleware, which previously removed the header before upstream requests. External AUT navigations can therefore send this internal Cypress marker to the application origin.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit a880bfb. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CDP transport for HttpIntercept

2 participants