cypress: Chrome hangs on application open intent with --waiting for new page to load--

I’m referring to this as it is a real blocker for testing business applications. Let’s consider a typical scenario:

A (base url for Cypress tests) -> B (OAuth login form) -> A (redirect uri for OAuth). A and B don’t share the same site.

• A = https://app.mydomain.com
• B = https://login.provider.com

Note that:

• I cannot use Chrome out of security reasons (despite disableWebSecurity = true I have to hack X-frame-options using a Chrome extension for fixing “Refused to display ‘https://login.provider.com’ in a frame because it set ‘X-Frame-Options’ to ‘deny’.” This happens because Cypress loads the application into an iframe. Unfortunately, I’m not allowed to load the according Chrome extension due to a corporate policy.)
• In Firefox I’m able to bypass the security measures (X-frame-options, Same-Site policy etc.). Now, I’m looking for the proper preferences to bypass also the cross origin check (see below).
• manual OAuth flow behind the scenes (described in https://docs.cypress.io/guides/guides/web-security.html#Form-Submission-Redirects) is not really possible due to additional security measures such as XSRF token etc.

With the following test, I can navigate to the OAuth login form hosted on domain B (meaning: I can see the rendered page):

  cy.server();
  cy.route('https://login.provider.com/**').as('oauth');

  getLoginButton().click(); // this navigates to https://login.provider.com/login

  cy.wait('@oauth');

however, then I also see this warning

(page load)--waiting for new page to load--

If I manually finish the OAuth flow using valid credentials (of course I have to do it within the timeout) then the state of that line turns to

"(page load)--page loaded--".

The state of the application is correct, I successfully finished the OAuth flow and the application has a correct state.

But Cypress shows this error:

Cypress detected a cross origin error happened on page load:

  > Permission denied to access property "document" on cross-origin object

Before the page load, you were bound to the origin policy:

  > https://mydomain.com

A cross origin error happens when your application navigates to a new URL which does not match the origin policy above.

A new URL does not match the origin policy if the 'protocol', 'port' (if specified), and/or 'host' (unless of the same superdomain) are different.

Cypress does not allow you to navigate to a different origin URL within a single test.

You may need to restructure some of your test code to avoid this problem.

Alternatively you can also disable Chrome Web Security in Chromium-based browsers which will turn off this restriction by setting { chromeWebSecurity: false } in cypress.json.Learn more

The stacktrace is:

    at onPageLoadErr (https://app.mydomain.com/__cypress/runner/cypress_runner.js:156215:18)
    at initialize (https://app.mydomain.com/__cypress/runner/cypress_runner.js:168094:18)
    at dispatch (https://app.mydomain.com/__cypress/runner/cypress_runner.js:90364:28)
    at add/elemData.handle (https://app.mydomain.com/__cypress/runner/cypress_runner.js:90172:29)
From previous event:
    at run (https://app.mydomain.com/__cypress/runner/cypress_runner.js:167762:20)
    at addCommand/cy[name] (https://app.mydomain.com/__cypress/runner/cypress_runner.js:168214:12)
    at runTest (../../node_modules/cypress-cucumber-preprocessor/lib/createTestFromScenario.js:47:1)
	...

I think some of the Firefox preferences could fix it. Do you know what is the counterpart of disableWebSecurity when running Firefox? I found https://bugzilla.mozilla.org/show_bug.cgi?id=1039678 which is still open but I assume that some combination of FF preferences could provide the same behavior.