Unexpected Chrome SecurityError in Headless mode #30571
Description
Current behavior
We recently did an upgrade of one of our pipelines from Cypress 13.6.1 & Chrome 107 to Cypress 13.15.2 & Chrome 130. This resulted in random cy.session failures appearing in our Github Actions pipelines when a test redirects to Auth0. At first I thought this was a Cypress issue, but I've worked out that the issue only appears when running new versions of Chrome in headless mode. Downgrading to Chrome 109 the issue goes away. Opening Cypress via open is unable to reproduce the issue.
We see the below message, but checking the replay we can tell the page loaded fine:
Timed out after waiting 60000ms for your remote page to load.
Your page did not fire its load event within 60000ms.
Checking the console logs, we get the below:
Uncaught SecurityError: Failed to read a named property 'Cypress' from 'Window': Blocked a frame with origin "https://{our-custom-auth0-domain}" from accessing a cross-origin frame. at https://{our-custom-auth0-domain}/u/login/identifier
This only occurs after a number of already-successful logins in other specs and the spec that fails seems to be whichever one is 5th or 6th in the test suite.
Desired behavior
Not crash with a SecurityError
Test code to reproduce
To reproduce this you need to target a website that has a same-origin redirect to an Auth0 login page (product.ourdomain.dev -> login.ourdomain.dev), which I've put together. Cross-origin redirects are not impacted by this issue (localhost -> login.ourdomain.dev).
https://github.com/Hawxy/cypress-same-origin-crash
Run with npx cypress run --browser chrome (or edge) --headless
Should fail within a few specs.
Cypress Version
13.15.2
Node version
20/22 (not a factor)
Operating System
Ubuntu/Windows (not a factor)
Debug Logs
No response
Other
No response