Proxy conflicts with dynamically added content security policy

[Aaronius]

What is your Test Scenario?

I'll describe a simplified version of our test scenario:
We have a test that runs on a page that adds a content security policy via JavaScript, then sends a request to example.com, which is one of the hosts listed in the connect-src directive in the content security policy.

What is the Current behavior?

The test fails because the request to example.com is blocked. Although our request is intended to go to example.com, hammerhead (I assume) is changing our request URL to look like:

http://192.168.1.131:55623/DmakYsj4z*YtOF8upra!a!1!localhost%3A3000/https://example.com

which gets blocked by the CSP, because 192.168.1.131 isn't listed as an allowed host in the CSP.

This seems to be a fairly new issue (1.11.0 or possibly earlier). We did not run into this issue on 1.10.0.

What is the Expected behavior?

I would expect the request to example.com to succeed, because the host is allowed by the CSP.

What is your web application and your TestCafe test code?

Your website URL (or attach your complete example):

<!DOCTYPE html>
<html lang="en">
  <head>
    <title>React App</title>
    <script>
      const meta = document.createElement("meta");
      meta.httpEquiv = "Content-Security-Policy";
      meta.content = `default-src 'self';
                  script-src 'self' 'unsafe-inline';
                  style-src 'self' 'unsafe-inline';
                  connect-src 'self' *.example.com;`;
      document.head.appendChild(meta);
      fetch("https://example.com");
    </script>
  </head>
  <body>
    <div id="root"></div>
  </body>
</html>

Your complete test code (or attach your test files):

 fixture("CSP").page("http://localhost:3000");

test("should pass without errors", async t => {
  await t.expect(true).eql(true);
});

Your complete test report:

A test run is starting...
 Running tests in:
 - Chrome 89.0.4389.82 / macOS 10.15.7

 CSP
 ✖ should pass without errors

   1) A JavaScript error occurred on "http://localhost:3000/".
      Repeat test actions in the browser and check the console for errors.
      If you see this error, it means that the tested website caused it. You can fix it or disable tracking JavaScript errors in TestCafe. To do the latter, enable the "--skip-js-errors"
      option.
      If this error does not occur, please write a new issue at:
      "https://github.com/DevExpress/testcafe/issues/new?template=bug-report.md".
      
      JavaScript error details:
      TypeError: Failed to fetch
          at fetch (http://192.168.1.131:55622/hammerhead.js:9:578)
          at http://localhost:3000/:20:7

      Browser: Chrome 89.0.4389.82 / macOS 10.15.7



 1/1 failed (0s)

Steps to Reproduce:

You can clone https://github.com/Aaronius/testcafe-bugs
Check out the csp branch.
Run npm install
Run npm start
In a different terminal, run npm test

Your Environment details:

• testcafe version: 1.12.0
• node.js version: 14.15.3
• command-line arguments: testcafe chrome
• browser name and version: Chrome 89.0 (the same problem occurs on Safari and Firefox, at least)
• platform and version: macOS 10.15.7
• other: This problem only occurs when the CSP is dynamically added using JavaScript. If the CSP is part of the HTML and not added by JavaScript, no issue occurs.

[felis2803]

Hello,

Thank you for your report. I reproduced this behavior. We need some time to research it. For now, use the '--skip-js-errors' flag as a workaround.

[Aaronius]

Thanks @felis2803. Unfortunately, using --skip-js-errors won't work for us. My example showed a simplified version of our test, but in reality our test depends on the request successfully being sent. Thank you for working on this!

[Ghost-J]

Hey, has there been an update on this issue, with version 1.14.0 the issue persists? We've noticed that it started with version 1.11.0.

Most likely related to this change:

TestCafe proxy now correctly handles requests that are not permitted by the CORS policy (testcafe-hammerhead/#1263)

Sadly --skip-js-errors doesn't work for us either as the request needs to be successful, for the component to load.

[aleks-pro]

Hello @Ghost-J,

We didn't look into this problem yet. So, it still persists in TestCafe 1.14.0. We will update this thread once we have any news.

[Ghost-J]

Issue still persists with version 1.15.2. Thought I'd push the thread as the bot removed the "need response" state.

PS: Due to not being able to update we aren't able to resolve the issue mentioned here. DevExpress/testcafe-hammerhead#2653

[miherlosev]

Hi @Aaronius

This problem only occurs when the CSP is dynamically added using JavaScript. If the CSP is part of the HTML and not added by JavaScript, no issue occurs.

TestCafe is trying to remove CSP directives in tags and headers from the tested page. The case when the meta tag with CSP directives is added to the head tag is not handled correctly.
The issue is still reproduced in testcafe@1.17.2-rc.2.

[Ghost-J]

Hi, the issue still persists with testcafe v1.18.1 and hammerhead v17.1.26.

[miherlosev]

The fix will be shipped with the next TestCafe version (1.18.2 and above).

[Ghost-J]

The issue still seems to persist with testcafe v1.18.2 and hammerhead v.24.5.13

[felis2803]

@Ghost-J, You're right, this issue is still reproducible on testcafe@1.18.2.