Cypress invalid proxy certificate affects disk cache #7307
Comments
jsantha
changed the title
Have you been able to observe this behavior in Cypress? I have not noticed cache behaving oddly, but it's possible I have not been working on enough HTTPS stuff to see it. We do pass arguments to Chrome to force them to permit invalid certs, so it could also be affecting this behavior. I ask because this comment seems to imply that caching DOES work, but it is in-memory, not written to disk.
Hmm, this would technically work, but some users will not want Cypress to touch their CA store. Also, this will probably break in any managed environment with antivirus/GPO setups that prevent malicious CAs being installed. It would be a security issue too. Although the test runner's CA keys are not shared pubicly (they are generated locally per-computer and cached), it's possible that malware on a user's computer could read the CA file and use it to intercept HTTPS traffic without the user's knowledge (if Cypress were added to the CA store) |
Quick peek into chromium source code shows that this behavior (cache not work with invalid cert) is intended and cannot be prevented with browser arguments: /net/http/http_cache_transaction.cc Anyway, I have made a quick test: Chrome 81
Our application leverages http caching for some quite heavy REST API calls and since I have rewritten some of our e2e tests from Selenium to Cypress, I have immediately noticed that Cypress test cases run much slower than those running via Selenium.
I'm not really familiar with internal working of those certificates and theirs potential security issues but we could perhaps inspire at .NET Core SDK that provides a CLI option to make its own development certificate trusted Trust the ASP.NET Core HTTPS development certificate on Windows and macOS and in addition, we could inform users about the potential security risk you mentioned. |
|
Can you provide the full repo/code for your reproduction of the caching issue? I was not able to verify the behavior that caching is effected from within Cypress when SSL certificate errors are present. The cache is cleared in Cypress before each run of a spec file. So there will not be any caching on the first run of a test, but the subsequent runs of tests, resources should be cached. You can observe this with the following test: it('test', () => {
cy.visit('https://reactjs.org/docs/getting-started.html')
});
it('test2', () => {
cy.visit('https://reactjs.org/docs/getting-started.html')
});When looking at the network tab (filtering by Img), the first test has the 'search.svg' with a 200 status. The second test, the request has the 'search.svg' return as status 304 Not Modified. It is returning with the cached image.
|
|
@jennifer-shehane You have chosen wrong file to check caching, the |
|
Yeah, it does seem that the invalid certificate will affect disk cache. Thanks for providing the repo. We could maybe fix this by implementing the certificate override at the remote debugger protocol level (if Chromium’s comment is true). |
cypress-bot
bot
added
the
stage: ready for work
jennifer-shehane
added
the
type: unexpected behavior
jennifer-shehane
changed the title
|
I am using cypress 7.1 and facing this invalid certificate issue. Should I take this as solution "Maybe inform that this problem can be resolved by importing CypressProxyCA from cy/production/proxy/certs to the Trusted Root Certification Authority store" Can anyone please advise how to access this 'cy/production/proxy/certs'? thanks |
|
I agree with the original post, this is not only the cosmetic problem. Chromium browsers also block webRTC access (media devices are disabled) if there is "Not secure" connection. Using Cypress 7.3 |
I tried this solution, but certificate But chrome still suggests its "Not secure" connection. |
|
@valter11111
|
In addition to the above steps, you also need to clear the Site Settings, Data etc using Ctrl+Shift+Delete (on windows) while chrome is openned via Cypress. Otherwise, chrome keeps caching the trust (untrusted certificate) as usual. |
how can I import |
|
This should no longer be an issue on the latest version of Cypress, is anyone experiencing this on 10.1.0? |
I having the following issue with Cypress latest versions when running in the CI, I thought this is related to the issue we are talking here, what do you think? |
|
@flotwig, my Cypress version is |
|
I've recently migrated from Cypress I read a few threads and it seems issue was fixed in But I also see that @shammlo refers above to @jsantha, as author of this issue which is still open in Jan-2023, how about you? |
|
@flotwig @karlamieses @andrii-lundiak I believe the issue you have in mind is unrelated ( If Cypress could import the |
|
|
Are folks on this thread still experiencing this issue on the latest version of Cypress? |
|
We see the issue in Cypress 12.11.0 |
|
Importing CA certificate solved caching issue for me for local testing but could someone help me, how could I import same certificate in CICD within cypress docker image environment? Also could be this solved somehow globally within cypress app @jennifer-shehane ? Seems that this issue is known for nearly 3 years and disabled disk cache may quite hard affect testing speeds for apps where developers intentionally utilise browser client cache to speed up loading of assets and reduce HTTP traffic. |
|
@martin-pikalek maybe something like this could work https://thomas-leister.de/en/how-to-import-ca-root-certificate/ |
|
The Chrome Cert file to import to seems to be EDIT: I am trying to prepend something like this to my run command: but getting certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. Also we might need to run cypress with an empty spec at first to generate the pa.pem EDIT2: I have to remove the file name
|
|
That's the final command we use as a workaround in our CI: Are there chances to add an option |
|
Glad you got a work around @amenk! |
|
This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided. |
|
Okay, can be followed up in #26744 then |
|
This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided. |
|
This issue has been closed due to inactivity. |
Current behavior:
Information that certificate error is purely cosmetic problem as specified here docs.cypress.io/faq/questions/using-cypress-faq.html is misleading.
Chrome, as reported here bugs.chromium.org/p/chromium/issues/detail?id=110649 ignores http caching when any error with ssl certificate occurs. This means that the application under the test is affected and not behaving as intended (http caching is fully disabled, app load time can be significantly slower...).
Desired behavior:
CypressProxyCAfromcy/production/proxy/certs/ca.pemto the Trusted Root Certification Authority storeTest code to reproduce
https://github.com/jsantha/cypress-invalid-cert
Versions
Chrome from version ~16 to actual (81)
Windows 10
Cypress 4.5.0
The text was updated successfully, but these errors were encountered: