spike: attempt to use url() and hash() in the automation client and unbind it from the window

Author: AtofStryker

cli/types/cypress.d.ts

@@ -4007,7 +4007,7 @@ declare namespace Cypress {
   /**
    * Options to change the default behavior of .url()
    */
-  interface UrlOptions extends Loggable, Timeoutable {
+  interface UrlOptions extends Loggable {
     /**
      * Whether the url is decoded
      *

packages/driver/cypress/e2e/e2e/origin/commands/actions.cy.ts

@@ -188,6 +188,49 @@ context('cy.origin actions', { browser: '!webkit' }, () => {
     })
   })
 
+  // With Cypress 15, window(), url(), and hash() all work without cy.origin().
+  // However, users may not have access to the AUT window object, so cy.window() yielded window objects
+  // may return cross-origin errors. However, url() and hash() will work without cy.origin() as they now use the automation client.
+  context('cross-origin AUT commands without cy.origin()', () => {
+    it('.window()', (done) => {
+      cy.get('a[data-cy="dom-link"]').click()
+      cy.window().then((win) => {
+        // The window is in a cross-origin state, but users are able to yield the command
+        // as well as basic accessible properties
+        expect(win.length).to.equal(2)
+        try {
+          // but cannot access cross-origin properties
+          win[0].location.href
+        } catch (e) {
+          expect(e.name).to.equal('SecurityError')
+          expect(e.message).to.include('Blocked a frame with origin "http://localhost:3500" from accessing a cross-origin frame.')
+          done()
+        }
+      })
+    })
+
+    it('.url()', () => {
+      cy.get('a[data-cy="dom-link"]').click()
+      cy.url().then((url) => {
+        expect(url).to.equal('http://www.foobar.com:3500/fixtures/dom.html')
+      })
+    })
+
+    it('.hash()', () => {
+      cy.get('a[data-cy="cross-origin-secondary-link"]').click()
+      cy.origin('http://www.foobar.com:3500', () => {
+        cy.get('a[data-cy="hashChange"]').click()
+        cy.hash().then((hash) => {
+          expect(hash).to.equal('#hashChange')
+        })
+      })
+
+      cy.hash().then((hash) => {
+        expect(hash).to.equal('#hashChange')
+      })
+    })
+  })
+
   context('cross-origin AUT errors', () => {
     // We only need to check .get here because the other commands are chained off of it.
     // the exceptions are window(), document(), title(), url(), hash(), location(), go(), reload(), and scrollTo()
@@ -213,15 +256,6 @@ context('cy.origin actions', { browser: '!webkit' }, () => {
       cy.get('#button')
     })
 
-    it('.window()', (done) => {
-      cy.on('fail', (err) => {
-        assertOriginFailure(err, done)
-      })
-
-      cy.get('a[data-cy="dom-link"]').click()
-      cy.window()
-    })
-
     it('.document()', (done) => {
       cy.on('fail', (err) => {
         assertOriginFailure(err, done)
@@ -240,24 +274,6 @@ context('cy.origin actions', { browser: '!webkit' }, () => {
       cy.title()
     })
 
-    it('.url()', (done) => {
-      cy.on('fail', (err) => {
-        assertOriginFailure(err, done)
-      })
-
-      cy.get('a[data-cy="dom-link"]').click()
-      cy.url()
-    })
-
-    it('.hash()', (done) => {
-      cy.on('fail', (err) => {
-        assertOriginFailure(err, done)
-      })
-
-      cy.get('a[data-cy="dom-link"]').click()
-      cy.hash()
-    })
-
     it('.location()', (done) => {
       cy.on('fail', (err) => {
         assertOriginFailure(err, done)

packages/driver/src/cy/commands/location.ts

@@ -3,29 +3,16 @@ import _ from 'lodash'
 import $errUtils from '../../cypress/error_utils'
 
 export default (Commands, Cypress, cy) => {
-  Commands.addQuery('url', function url (options: Partial<Cypress.UrlOptions> = {}) {
-    // Make sure the url command can communicate with the AUT.
-    // otherwise, it yields an empty string
-    Cypress.ensure.commandCanCommunicateWithAUT(cy)
-    this.set('timeout', options.timeout)
-
-    Cypress.log({ message: '', hidden: options.log === false, timeout: options.timeout })
-
-    return () => {
-      const href = cy.getRemoteLocation('href')
+  Commands.add('url', function url (options: Partial<Cypress.UrlOptions> = {}) {
+    Cypress.log({ message: '', hidden: options.log === false })
 
-      return options.decode ? decodeURI(href) : href
-    }
+    return Cypress.automation('get:aut:url', {})
   })
 
-  Commands.addQuery('hash', function url (options: Partial<Cypress.Loggable & Cypress.Timeoutable> = {}) {
-    // Make sure the hash command can communicate with the AUT.
-    Cypress.ensure.commandCanCommunicateWithAUT(cy)
-    this.set('timeout', options.timeout)
-
-    Cypress.log({ message: '', hidden: options.log === false, timeout: options.timeout })
+  Commands.add('hash', function url (options: Partial<Cypress.Loggable> = {}) {
+    Cypress.log({ message: '', hidden: options.log === false })
 
-    return () => cy.getRemoteLocation('hash')
+    return Cypress.automation('get:aut:url:hash', {})
   })
 
   Commands.addQuery('location', function location (key, options: Partial<Cypress.Loggable & Cypress.Timeoutable> = {}) {

packages/driver/src/cy/commands/window.ts

@@ -100,7 +100,6 @@ export default (Commands, Cypress, cy, state) => {
 
   Commands.addQuery('window', function windowFn (options: Partial<Cypress.Loggable & Cypress.Timeoutable> = {}) {
     // Make sure the window command can communicate with the AUT.
-    Cypress.ensure.commandCanCommunicateWithAUT(cy)
     this.set('timeout', options.timeout)
     Cypress.log({
       hidden: options.log === false,

packages/server/lib/browsers/bidi_automation.ts

@@ -659,6 +659,22 @@ export class BidiAutomation {
           }
 
           return
+        case 'get:aut:url':
+        {
+          const { contexts: autContext } = await this.webDriverClient.browsingContextGetTree({
+            root: this.autContextId,
+          })
+
+          return autContext ? autContext[0].url : ''
+        }
+        case 'get:aut:url:hash':
+        {
+          const { contexts: autContext } = await this.webDriverClient.browsingContextGetTree({
+            root: this.autContextId,
+          })
+
+          return autContext ? new URL(autContext[0].url).hash : ''
+        }
         default:
           debug('BiDi automation not implemented for message: %s', message)
           throw new AutomationNotImplemented(message, 'BiDiAutomation')

packages/server/lib/browsers/cdp_automation.ts

@@ -464,6 +464,33 @@ export class CdpAutomation implements CDPClient, AutomationMiddleware {
     return false
   }
 
+  private _getAutFrame = async () => {
+    try {
+      const frameTree = (await this.sendDebuggerCommandFn('Page.getFrameTree')).frameTree
+      const frame = _.find(frameTree?.childFrames || [], ({ frame }) => {
+        return frame?.name?.startsWith('Your project:')
+      }) as HasFrame | undefined
+
+      return frame?.frame
+    } catch (err) {
+      debugVerbose('failed to get aut frame:', err.stack)
+
+      return undefined
+    }
+  }
+
+  private _getAutUrl = async () => {
+    const frame = await this._getAutFrame()
+
+    return frame?.url || ''
+  }
+
+  private _getAutUrlHash = async () => {
+    const frame = await this._getAutFrame()
+
+    return frame?.urlFragment || ''
+  }
+
   _handlePausedRequests = async (client: CriClient) => {
     // NOTE: only supported in chromium based browsers
     await client.send('Fetch.enable', {
@@ -611,6 +638,10 @@ export class CdpAutomation implements CDPClient, AutomationMiddleware {
         }
 
         return cdpKeyPress(data, this.sendDebuggerCommandFn, this.executionContexts, (await this.send('Page.getFrameTree')).frameTree)
+      case 'get:aut:url':
+        return this._getAutUrl()
+      case 'get:aut:url:hash':
+        return this._getAutUrlHash()
       default:
         throw new Error(`No automation handler registered for: '${message}'`)
     }

packages/types/src/server.ts

@@ -91,6 +91,8 @@ export interface AutomationCommands {
   'remote:debugger:protocol': CommandSignature
   'response:received': CommandSignature
   'key:press': CommandSignature<KeyPressParams, void>
+  'get:aut:url': CommandSignature<{ url: string }, string>
+  'get:aut:url:hash': CommandSignature<{ hash: string }, string>
 }
 
 export type OnRequestEvent = <T extends keyof AutomationCommands>(message: T, data: AutomationCommands[T]['dataType']) => Promise<AutomationCommands[T]['returnType']>

system-tests/__snapshots__/web_security_spec.js

@@ -30,7 +30,7 @@ exports['e2e web security / when enabled / fails'] = `
 
   1) web security
        fails when clicking <a> to another origin:
-     CypressError: The command was expected to run against origin \`http://localhost:4466\` but the application is at origin \`https://www.foo.com:44665\`.
+     CypressError: Timed out retrying after 4000ms: The command was expected to run against origin \`http://localhost:4466\` but the application is at origin \`https://www.foo.com:44665\`.
 
 This commonly happens when you have either not navigated to the expected origin or have navigated away unexpectedly.
 
@@ -45,7 +45,7 @@ https://on.cypress.io/cy-visit-succeeded-but-commands-fail
 
   2) web security
        fails when submitted a form and being redirected to another origin:
-     CypressError: The command was expected to run against origin \`http://localhost:4466\` but the application is at origin \`https://www.foo.com:44665\`.
+     CypressError: Timed out retrying after 4000ms: The command was expected to run against origin \`http://localhost:4466\` but the application is at origin \`https://www.foo.com:44665\`.
 
 This commonly happens when you have either not navigated to the expected origin or have navigated away unexpectedly.
 
@@ -60,7 +60,7 @@ https://on.cypress.io/cy-visit-succeeded-but-commands-fail
 
   3) web security
        fails when using a javascript redirect to another origin:
-     CypressError: The command was expected to run against origin \`http://localhost:4466\` but the application is at origin \`https://www.foo.com:44665\`.
+     CypressError: Timed out retrying after 4000ms: The command was expected to run against origin \`http://localhost:4466\` but the application is at origin \`https://www.foo.com:44665\`.
 
 This commonly happens when you have either not navigated to the expected origin or have navigated away unexpectedly.