Understand why chromeWebSecurity: false is needed

[scottohara]

As described in the Cypress docs, same-origin policy can cause issues with cross-origin iframes etc.

However we don't use cross-origin iframes, navigate to other domains or perform any JS redirects. We're an SPA with client-side routing, and the URL never changes.

So it is unclear why we still need to set chromeWebSecurity: false in our cypress.json config?

Without this setting, when calling cy.visit("/#!/some/route"); (which should not change the origin or do anything with iframes), we get the following error:

Would like to understand why Cypress thinks this is a cross-origin frame.

[scottohara]

Suspecting it may be something to do with the /#!/ in the path, also tried different combinations of:

// cypress.json - "baseUrl": "http://localhost:5000"

cy.visit("/#!/accounts");

// cypress.json - "baseUrl": "http://localhost:5000/#!"

cy.visit("/accounts");

// cypress.json - "baseUrl": "http://localhost:5000/#!/"

cy.visit("accounts");

Same result each time.

[scottohara]

On further inspection (after having removed & re-added chromeWebSecurity: false numerous times) is that setting this option controls the --disable-web-security command-line argument when launching Chrome:

https://github.com/cypress-io/cypress/blob/f79bdd665ada815fbfa238baac7a66c38d3b5d82/packages/server/lib/browsers/chrome.ts#L405-L408

In turn, this command-line argument controls numerous things in Chrom(e|ium), including CORS.

Another error we have seen is cannot set property name of which has only a getter, which is resolved by disabling web security.