How to handle sign on with security restrictions in Cypress - javascript

I am a beginner in working with Cypress.
I am trying to build one test scenario for login.
I have this first url defined in cypress.json which is the page for signing in:
"cozone_url": "https://idp-develop-devdb.staging.cozone.com/"
After successfully logging in, I am taken to the second page with URL: https://portal-develop-devdb.staging.cozone.com/ui/#/. In this page, I have one element which by clicking on it takes me to the actual application that I need to automate:
If I do not remove target attribute for the app element, the application opens correctly on a new child tab. I know that this is not handled with cypress so I tried to remove it:
And ('I Click on Azets Invoice icon', ()=> {
//this should open url https://invoice.test.azets.com/en
cy.get("a[data-test-application-identifier='EFLOW_INVOICES_V2']").invoke('removeAttr','target').click() })
A new tab is not opened, but the https://invoice.test.azets.com/en is not loaded in the original tab and I have this error:
Refused to frame '' because it violates the following Content Security Policy directive: "frame-src
Also, when trying to go directly to the url with visit method I have this error:
The new URL is considered a different origin because the following parts of the URL are different
I know that this happens because of the security restrictions, that Cypress does not allow to change the domain within the same test, but how can I automate this scenario?
I login from url 1, then a page is opened where I have the link to my app and have to click on it and go to url2, which I am not allowed.
I tried to split this into 2 tests and use Cypress.Cookies.preserveOnce() method, but I don't know which cookie name I should preserve for the second test.
Do you have any idea on how should I automate the scenario using Cypress?

Try turning off web security to remove CORS restrictions.
In cypress.json add
{
"chromeWebSecurity": false
}
Ref: Web Security

Related

I want to redirect to a website and then click on a button on it

I want to redirect my browser to another website and then click on a action button on that website. I think i should add some time delay in between these two tasks. The code i have written do only one event at a time.
window.location.href = "http://www.google.com";
var delayInMilliseconds = 2000;
setTimeout(function() {
document.getElementById('action-button').dispatchEvent(new MouseEvent("click"));
}, delayInMilliseconds);
It's forbidden to do this for security reasons.
In computing, the same-origin policy is an important concept in the
web application security model. Under the policy, a web browser
permits scripts contained in a first web page to access data in a
second web page, but only if both web pages have the same origin. An
origin is defined as a combination of URI scheme, host name, and port
number. This policy prevents a malicious script on one page from
obtaining access to sensitive data on another web page through that
page's Document Object Model.
Source
It is not possible in this manner.
First you change the url of the page which will stop the rest of your JS code from executing. So your timeout will never reach the google page.
Instead implement an <iframe> with the src set to http://www.google.com. Then select the iframe and look for your element in there.
This post will explain how to select the element from an iframe.
Get element from within an iFrame
At the moment you redirect the user with window.location.href any other script won't be executed.
Sort of hack to do what you want is implant script on the second website that will trigger if the user came from a specific URL. Something like that:
var URL = "OLDWEBSITEURL";
var x = window.history.back();
if (x === URL) {
document.getElementById('action-button').dispatchEvent(new MouseEvent("click"));
/* or any other code */
}
Note that if the user open the link on different window/tab or/and disable js it won't work.

Clear the Omnibox from Chrome extension code

I've written a Chrome extension that replaces the new tab if the user wants that. It works by intercepting tabs.onUpdated and redirecting chrome://newtab/ to another page from the extension, as described in this answer.
The problem is that the address bar of that page keeps the (ugly) URL of the HTML within the extension, e.g. chrome-extension://hibkhcnpkakjniplpfblaoikiggkopka/html/newtabl.html. How can that URL be replaced with the empty string?
I've tried history.replaceState, but the best that can do is to change the file (newtab.html) in the path. Using an http:// URL crashes the extension:
history.replaceState({}, 'iDoRecall practice', 'http://type-anything-here.com');
Any clever way to clear the Omnibox?
Put simply, History API can only change the path part of the URL, not the origin (protocol://host:port) for an obvious reason of preventing site fraud:
If the origin of the resulting absolute URL is not the same as the origin of the responsible document specified by the entry settings object, and either the path or query components of the two parsed URLs compared in the previous step differ, throw a SecurityError exception and abort these steps. (This prevents sandboxed content from spoofing other pages on the same origin.)
The omnibox may be empty only in one case: on a new tab page, that is you'll have to replace the new tab in manifest.json in chrome_url_overrides.

Google Chrome Extenshion - override content of non existing site

Basicly what I want is to create extension that will override content of a certain URL:
http://overrideme
As you can imagine this page dose not exist in this world. So the effect i want to create is this. If user have my extenshion installed then if he went to http://overrideme he will see content of a page that i will provide
PS: i tryed to use "content" scripts, but they are no good, since they work with web pages that do exist.
While webRequest API cannot allow you to show a page with http://overrideme in the address bar, it can allow you to show any other page instead whenever http://overrideme is requested (including resources, not just page navigation)
I.e. it can redirect http://overrideme to chrome-extension://yourextensionid/override.html
You need to respond to an onBeforeSendHeaders event with {redirectUrl: url} blocking response.

how to configure settings in developer facebook?

I used plone 4.3 my site name is localhost:8080/alpster. I created sample page with facebook login.now when i click login button I got error like
Given URL is not allowed by the Application configuration.: One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains.
my configure settings :
developer.facebook.com--->>>settings----> basic
namespace="alpster-login"
App Domains=alpster
Contact Email=my valid email
Site URL=localhost.com:8080
any one can solve my problem
Might not be able to use localhost, but I can't remember specifically.
If you are using localhost, you can't use .com in the appdomain. If doesnt let you do otherwise, then that means you must use an actual domain, not localhost. Use something like http://localtunnel.me/ to get around this.
Otherwise, just need to make sure the canvas & web urls match each other.

Permission issues checking if parent site is my parent domain within iframe

I've read several of the questions on this but am still a little confused.
For example: OK, I can't post examples because of hyperlink limitations
Here is my exact situation.
I have a site at mydomain.com
One of the pages has an iframe to another page at sub.mydomain.com
I am trying to prepare an onload script that if the page is not in an iframe or the parent domain of the page containing the iframe is not mydomain.com then redirect to mydomain.com.
After the initial permission issues I realised the problem with sub domains counting as separate domains.
One of the posts above says that "could each use either foo.mydomain.com or just mydomain.com"
So I tried (for testing):
onload="document.domain='mydomain.com';alert(parent.location.href);"
This produced the error (http replaced with lar
Error: Permission denied for <http://sub.mydomain.net> (document.domain=<http://mydomain.net>) to get property Location.href from <http://mydomain.net> (document.domain has not been set).
Source File: http://sub.mydomain.net/?pageID=1&framed=1
Line: 1
Removing the alert produces no errors.
Maybe I am going about this the wrong way since I do not need to interact with the parent just read its domain if there is one.
A nice simple top.domain. For read only there must be a way so that people can prevent their own pages being used within other people's sites.
You can't (easily) do this because of security restrictions.
This answer from #2771397 might point you in the right direction.
OK, while looking at the error console I still had open when I got home a wee lightbulb lit up. I am pretty new to javascript (can you tell ;) but I thought "If it has try/catch"...
well here is a hack at least to get the name of the top domain and an example of how I will use it in my site to show content only if the page is a frame in the correct domain.
Firstly the header will have the following partially PHP generated function:
function getParentDomain()
{
try
{
var wibble=top.location.href;
}
catch(err)
{
if (err.message.indexOf('http://mydomain.com')!=-1)
{
createCookie('IAmAWomble','value')
}
}
}
Basically the value will be something based on the PHP session I think. This will be executed at page load.
If the page is not within the proper site or if javascript is not enabled then the cookie will not be created.
PHP will then attempt to read the correct value from the cookie and show the content or an error message as appropriate.
I do see a slight flaw in this for first visit since page load will run after PHP has generated the content but I'm sure I can work around this somehow. I thought I'd post because this is at least what I was initially asking for and that is a way to read the URL of a parent site if it is in a different domain to the site in the frame.
IIUC you want to use the window.parent attribute: “A reference to the parent of the current window or subframe.”
Assumably, window.parent.document.location.host contains the container page URL domain name.

Categories