Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Frame-breaking CSP directive: "frame-ancestors 'none'" prevents loading page, despite disabling Chrome Web Security

See original GitHub issue
  • Operating System: macOS 10.13.4
  • Cypress Version: 2.1.0
  • Browser Version: Chrome 65.0.3325.181

Is this a Feature or Bug?

Bug

Current behavior:

I’m using Cypress to run end-to-end tests on an application that allows users to configure a connection to a GitHub OAuth application. The interactions with GitHub are complex and involve needing to receive webhooks, so I want to test the actual connection as opposed to stubbing. I have managed to do this successfully with Bitbucket, but the authorization page on GitHub has a CSP rule that doesn’t seem to get caught despite setting "chromeWebSecurity": false in my Cypress configuration. The interaction is as follows:

  1. User creates an OAuth Application on GitHub
  2. User takes the Client ID and Client Secret from that OAuth Application and enters them in my application to create a connection just for their use.
  3. My application generates a callback URL for GitHub, which the user then enters in their GitHub OAuth application
  4. User returns to my application and clicks a button to connect to the OAuth application. This hits a URL in my own application that sets up the OAuth dance, and then redirects to GitHub’s authorization page
  5. When that redirection occurs, Cypress suddenly replaces the contents of the URL bar with data:, and displays a blank page. Opening the web inspector shows this error in the console:

Refused to display 'https://github.com/login/oauth/authorize?client_id=SCRUBBED&redirect_uri=SCRUBBED' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

Desired behavior:

The above steps do not result in a blank page and the console error. Instead, the OAuth Authorization page is displayed and allows my test to click the “Authorize user” button and finish the OAuth dance

How to reproduce:

I can reproduce this in a barebones Rails app and have pushed the code to GitHub. You’ll need:

  • Ruby 2.5 along with the bundler gem
  • A GitHub username/password, probably one that is not of import. Make sure 2FA is not enabled.

Then, in one Terminal tab, set up and boot the application:

git clone https://github.com/davidcelis/cypress_framebusting.git
cd cypress_framebusting
bundle
bin/rails db:create db:migrate
bin/rails server

Then, in another tab, run the Cypress tests:

export CYPRESS_GITHUB_USERNAME=username
export CYPRESS_GITHUB_PASSWORD=password
yarn run cypress open

NOTE: The tests are written in a way that you’ll need to run the fifth test file between tries, so that it will delete the OAuth Application that gets created on GitHub as well as emptying the local application’s database

Test code:

https://github.com/davidcelis/cypress_framebusting/tree/master/cypress/integration/

Additional Info (images, stack traces, etc)

Possibly related to #1497

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:8 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
brian-manncommented, Apr 9, 2018

Overall, I get what you’re trying to do. If you’d like, make some updates and post back here and we can give you feedback on your implementation.

It’s been on our radar for a long time now to do a comprehensive guide / recipe / example showing how to properly handle oAuth logins for 3rd party providers.

0reactions
brian-manncommented, Apr 9, 2018

Also - really suggest watching the Best Practices video we gave at a talk a couple months ago. Will highlight some things for you: https://docs.cypress.io/guides/references/best-practices.html#Organizing-Tests-Logging-In-Controlling-State

Read more comments on GitHub >

github_iconTop Results From Across the Web

CSP frame-ancestors - Content Security Policy
The most common way to use the frame-ancestors directive is to block a page from being framed by other pages. frame-ancestors 'none'. Using...
Read more >
Clickjacking Defense - OWASP Cheat Sheet Series
Preventing the browser from loading the page in frame using the X-Frame-Options or Content Security Policy (frame-ancestors) HTTP headers.
Read more >
CSP: frame-ancestors - HTTP - MDN Web Docs - Mozilla
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using , , , , or .
Read more >
Clickjacking Attacks: What They Are and How to Prevent Them
Clickjacking refers to any attack where the user is tricked into unintentionally clicking an unexpected web page element.
Read more >
Current best practices to restrict framing in the browser
As the founder of Pragmatic Web Security, I travel the world to teach ... a frame-ancestors 'none' directive in the CSP header prevents...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Dependencies missing while using your docker image

Next page

Error: Could not start Xvfb. Install XVFB and run Cypress again.