cypress-io · alexsch01 · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025 · Nov 11, 2025
diff --git a/cli/CHANGELOG.md b/cli/CHANGELOG.md
@@ -16,6 +16,7 @@ _Released 11/18/2025 (PENDING)_
 - Fixed an issue where [`cy.wrap()`](https://docs.cypress.io/api/commands/wrap) would cause infinite recursion and freeze the Cypress App when called with objects containing circular references. Fixes [#24715](https://github.com/cypress-io/cypress/issues/24715). Addressed in [#32917](https://github.com/cypress-io/cypress/pull/32917).
 - Fixed an issue where top changes on test retries could cause attempt numbers to show up more than one time in the reporter and cause attempts to be lost in Test Replay. Addressed in [#32888](https://github.com/cypress-io/cypress/pull/32888).
 - Fixed an issue where stack traces that are used to determine a test's invocation details are sometimes incorrect. Addressed in [#32699](https://github.com/cypress-io/cypress/pull/32699)
+- Fixed an issue where the browser will freeze when Cypress intercepts a synchronous request and a routeHandler is used. Fixes [#32874](https://github.com/cypress-io/cypress/issues/32874). Addressed in [#32925](https://github.com/cypress-io/cypress/pull/32925).
 - Fixed an issue where larger than expected config values were causing issues in certain cases when recording to the Cypress Cloud. Addressed in [#32957](https://github.com/cypress-io/cypress/pull/32957)
 
 

diff --git a/packages/net-stubbing/lib/server/intercepted-request.ts b/packages/net-stubbing/lib/server/intercepted-request.ts
@@ -13,6 +13,7 @@ import type { BackendRoute, NetStubbingState } from './types'
 import { emit, sendStaticResponse } from './util'
 import type CyServer from '@packages/server'
 import type { BackendStaticResponse } from '../internal-types'
+import { styleText } from 'util'
 
 export class InterceptedRequest {
   id: string
@@ -72,6 +73,12 @@ export class InterceptedRequest {
       return
     }
 
+    if (this.req.isSyncRequest) {
+      process.stdout.write(styleText('yellow', 'WARNING: sync request was not intercepted\n'))
+
+      return
+    }
+
     for (const route of this.req.matchingRoutes) {
       if (route.disabled) {
         continue

diff --git a/packages/proxy/lib/http/request-middleware.ts b/packages/proxy/lib/http/request-middleware.ts
@@ -34,11 +34,16 @@ const ExtractCypressMetadataHeaders: RequestMiddleware = function () {
 
   this.req.isAUTFrame = !!this.req.headers['x-cypress-is-aut-frame']
   this.req.isFromExtraTarget = !!this.req.headers['x-cypress-is-from-extra-target']
+  this.req.isSyncRequest = !!this.req.headers['x-cypress-is-sync-request']
 
   if (this.req.headers['x-cypress-is-aut-frame']) {
     delete this.req.headers['x-cypress-is-aut-frame']
   }
 
+  if (this.req.headers['x-cypress-is-sync-request']) {
+    delete this.req.headers['x-cypress-is-sync-request']
+  }
+
   span?.setAttributes({
     isAUTFrame: this.req.isAUTFrame,
     isFromExtraTarget: this.req.isFromExtraTarget,

diff --git a/packages/proxy/lib/http/response-middleware.ts b/packages/proxy/lib/http/response-middleware.ts
@@ -15,6 +15,7 @@ import { hasServiceWorkerHeader, isVerboseTelemetry as isVerbose } from '.'
 import { CookiesHelper } from './util/cookies'
 import * as rewriter from './util/rewriter'
 import { doesTopNeedToBeSimulated } from './util/top-simulation'
+import { styleText } from 'util'
 
 import type Debug from 'debug'
 import type { CookieOptions } from 'express'
@@ -719,6 +720,14 @@ const MaybeCopyCookiesFromIncomingRes: ResponseMiddleware = async function () {
     return this.next()
   }
 
+  if (this.req.isSyncRequest) {
+    process.stdout.write(styleText('yellow', 'WARNING: cross-origin cookies may not have been applied\n'))
+
+    span?.end()
+
+    return this.next()
+  }
+
   // we want to set the cookies via automation so they exist in the browser
   // itself. however, firefox will hang if we try to use the extension
   // to set cookies on a url that's in-flight, so we send the cookies down to

diff --git a/packages/proxy/lib/types.ts b/packages/proxy/lib/types.ts
@@ -28,6 +28,7 @@ export type CypressIncomingRequest = Request & {
    * Stack-ordered list of `cy.intercept()`s matching this request.
    */
   matchingRoutes?: BackendRoute[]
+  isSyncRequest: boolean
 }
 
 export type RequestCredentialLevel = 'same-origin' | 'include' | 'omit' | boolean

diff --git a/packages/runner/injection/main.js b/packages/runner/injection/main.js
@@ -32,3 +32,15 @@ Cypress.on('app:timers:pause', timers.pause)
 timers.wrap()
 
 Cypress.action('app:window:before:load', window)
+
+const originalXmlHttpRequestOpen = window.XMLHttpRequest.prototype.open
+
+window.XMLHttpRequest.prototype.open = function (...args) {
+  const result = originalXmlHttpRequestOpen.apply(this, args)
+
+  if (args.length > 2 && !args[2]) {
+    this.setRequestHeader('x-cypress-is-sync-request', 'true')
+  }
+
+  return result
+}
diff --git a/packages/runner/injection/patches/xmlHttpRequest.ts b/packages/runner/injection/patches/xmlHttpRequest.ts
@@ -13,22 +13,37 @@ export const patchXmlHttpRequest = (window: Window) => {
       // we need to store a reference here to what we need in the send method
       this._url = captureFullRequestUrl(args[1], window)
     } finally {
-      return originalXmlHttpRequestOpen.apply(this, args as any)
+      const result = originalXmlHttpRequestOpen.apply(this, args as any)
+
+      if (args.length > 2 && !args[2]) {
+        this.setRequestHeader('x-cypress-is-sync-request', 'true')
+        this._isSyncRequest = true
+      } else {
+        this._isSyncRequest = false
+      }
+
+      return result
     }
   }
 
-  window.XMLHttpRequest.prototype.send = async function (...args) {
-    try {
-      // if the option is specified, communicate it to the the server to the proxy can make the request aware if it needs to potentially apply cross origin cookies
-      // if the option isn't set, we can imply the default as we know the "resourceType" in the proxy
-      await requestSentWithCredentials({
-        url: this._url,
-        resourceType: 'xhr',
-        credentialStatus: this.withCredentials,
-      })
-    } finally {
-      // if our internal logic errors for whatever reason, do NOT block the end user and continue the request
+  window.XMLHttpRequest.prototype.send = function (...args) {
+    if (this._isSyncRequest) {
       return originalXmlHttpRequestSend.apply(this, args)
     }
+
+    return (async () => {
+      try {
+        // if the option is specified, communicate it to the the server to the proxy can make the request aware if it needs to potentially apply cross origin cookies
+        // if the option isn't set, we can imply the default as we know the "resourceType" in the proxy
+        await requestSentWithCredentials({
+          url: this._url,
+          resourceType: 'xhr',
+          credentialStatus: this.withCredentials,
+        })
+      } finally {
+        // if our internal logic errors for whatever reason, do NOT block the end user and continue the request
+        return originalXmlHttpRequestSend.apply(this, args)
+      }
+    })()
   }
 }