{ "doc": { "id": "app/guides/cross-origin-testing", "title": "Cross Origin Testing: Cypress Guide", "description": "Learn how to test cross-origin content with Cypress.", "section": "app", "source_path": "/llm/markdown/app/guides/cross-origin-testing.md", "version": "48b03b5502f7aea1d0454750cce208f775403542", "updated_at": "2026-05-20T19:00:20.270Z", "headings": [ { "id": "app/guides/cross-origin-testing#cross-origin-testing", "text": "Cross Origin Testing", "level": 1 }, { "id": "app/guides/cross-origin-testing#what-youll-learn", "text": "What you'll learn", "level": 5 }, { "id": "app/guides/cross-origin-testing#web-security", "text": "Web Security", "level": 2 }, { "id": "app/guides/cross-origin-testing#what-cypress-does-under-the-hood", "text": "What Cypress does under the hood", "level": 3 }, { "id": "app/guides/cross-origin-testing#limitations", "text": "Limitations", "level": 2 }, { "id": "app/guides/cross-origin-testing#different-origins-per-test-require-cy-origin", "text": "Different origins per test require cy.origin()", "level": 3 }, { "id": "app/guides/cross-origin-testing#examples-of-test-cases-that-will-error-without-the-use-of-cy-origin", "text": "Examples of test cases that will error without the use of cy.origin", "level": 4 }, { "id": "app/guides/cross-origin-testing#parts-of-a-url", "text": "Parts of a URL", "level": 4 }, { "id": "app/guides/cross-origin-testing#origin", "text": "Origin", "level": 5 }, { "id": "app/guides/cross-origin-testing#cross-origin-iframes", "text": "Cross-origin iframes", "level": 3 }, { "id": "app/guides/cross-origin-testing#examples-of-uses-for-cross-origin-iframes", "text": "Examples of uses for cross-origin iframes", "level": 4 }, { "id": "app/guides/cross-origin-testing#insecure-content", "text": "Insecure Content", "level": 3 }, { "id": "app/guides/cross-origin-testing#example-of-accessing-insecure-content", "text": "Example of accessing insecure content", "level": 4 }, { "id": "app/guides/cross-origin-testing#the-solution", "text": "The solution", "level": 4 }, { "id": "app/guides/cross-origin-testing#same-port-per-test", "text": "Same port per test", "level": 3 }, { "id": "app/guides/cross-origin-testing#common-workarounds", "text": "Common Workarounds", "level": 2 }, { "id": "app/guides/cross-origin-testing#external-navigation", "text": "External Navigation", "level": 3 }, { "id": "app/guides/cross-origin-testing#form-submission-redirects", "text": "Form Submission Redirects", "level": 3 }, { "id": "app/guides/cross-origin-testing#javascript-redirects", "text": "JavaScript Redirects", "level": 3 }, { "id": "app/guides/cross-origin-testing#cross-origin-errors-with-cy-origin", "text": "Cross-Origin Errors with cy.origin", "level": 3 }, { "id": "app/guides/cross-origin-testing#disabling-web-security", "text": "Disabling Web Security", "level": 2 }, { "id": "app/guides/cross-origin-testing#set-chromewebsecurity-to-false", "text": "Set chromeWebSecurity to false", "level": 3 }, { "id": "app/guides/cross-origin-testing#set-chromewebsecurity-to-false-in-the-cypress-configuration", "text": "Set chromeWebSecurity to false in the Cypress configuration", "level": 4 }, { "id": "app/guides/cross-origin-testing#modifying-obstructive-third-party-code", "text": "Modifying Obstructive Third Party Code", "level": 2 }, { "id": "app/guides/cross-origin-testing#other-workarounds", "text": "Other workarounds", "level": 2 } ] }, "content": { "type": "root", "children": [ { "type": "heading", "depth": 1, "children": [ { "type": "text", "value": "Cross Origin Testing" } ] }, { "type": "heading", "depth": 5, "children": [ { "type": "text", "value": "What you'll learn" } ] }, { "type": "list", "ordered": false, "start": null, "spread": false, "children": [ { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "What strategies Cypress uses to work around same-origin policy" } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "Limitations and workarounds with cross-origin content" } ] } ] } ] }, { "type": "heading", "depth": 2, "children": [ { "type": "text", "value": "Web Security" } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "Browsers adhere to a strict " }, { "type": "link", "title": null, "url": "https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy", "children": [ { "type": "text", "value": "same-origin policy" } ] }, { "type": "text", "value": ". This means that browsers restrict access between `` when their origin policies don't match." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "Because Cypress works from within the browser, Cypress must be able to directly communicate with your remote application at all times. Unfortunately, browsers naturally try to prevent Cypress from doing this." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "To get around these restrictions, Cypress implements some strategies involving JavaScript code, the browser's internal APIs, and network proxying to play by the rules of same-origin policy. It's our goal to fully automate the application under test without you needing to modify your application's code - and we are mostly able to do this." } ] }, { "type": "heading", "depth": 3, "children": [ { "type": "text", "value": "What Cypress does under the hood" } ] }, { "type": "list", "ordered": false, "start": null, "spread": false, "children": [ { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "Proxies all HTTP / HTTPS traffic." } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "Changes the hosted URL to match that of the application under test." } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "Uses the browser's internal APIs for network level traffic." } ] } ] } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "When Cypress first loads, the internal Cypress web application is hosted on a random port: something like `http://localhost:64874/__/`." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "After the first " }, { "type": "link", "title": null, "url": "/llm/markdown/api/commands/visit.md", "children": [ { "type": "text", "value": "`cy.visit()`" } ] }, { "type": "text", "value": " command is issued in a test, Cypress changes its URL to match the origin of your remote application, thereby solving the first major hurdle of same-origin policy. Your application's code executes the same as it does outside of Cypress, and everything works as expected." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "How is HTTPS supported?" } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "Cypress must assign and manage browser certificates to be able to modify the traffic in real time. You'll notice Chrome display a warning that the 'SSL certificate does not match'. This is expected behavior. Under the hood we act as our own CA authority and issue certificates dynamically in order to intercept requests otherwise impossible to access. We only do this for the origin currently under test, and bypass other traffic." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "Note, that Cypress allows you to optionally specify CA / client certificate information for use with HTTPS sites. See " }, { "type": "link", "title": null, "url": "/llm/markdown/app/references/client-certificates.md", "children": [ { "type": "text", "value": "configuring client certificates" } ] }, { "type": "text", "value": ". If the remote server requests a client certificate for a configured URL, Cypress will supply it." } ] }, { "type": "heading", "depth": 2, "children": [ { "type": "text", "value": "Limitations" } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "It's important to note that although we do our very best to ensure your application works normally inside of Cypress, there are some limitations you need to be aware of." } ] }, { "type": "list", "ordered": false, "start": null, "spread": false, "children": [ { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "link", "title": null, "url": "#Different-origins-per-test-require-cyorigin", "children": [ { "type": "text", "value": "Different origins per test require cy.origin()" } ] } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "link", "title": null, "url": "#Cross-origin-iframes", "children": [ { "type": "text", "value": "Cross-origin iframes are not supported" } ] } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "link", "title": null, "url": "#Insecure-Content", "children": [ { "type": "text", "value": "Navigating from HTTPS to HTTP will error" } ] } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "link", "title": null, "url": "#Same-port-per-test", "children": [ { "type": "text", "value": "Cypress requires that the URLs navigated to have the same port" } ] } ] } ] } ] }, { "type": "heading", "depth": 3, "children": [ { "type": "text", "value": "Different origins per test require `cy.origin()`" } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "Cypress changes its own host URL to match that of your applications. With the exception of `cy.origin`, Cypress requires that the URLs navigated to have the same " }, { "type": "link", "title": null, "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin", "children": [ { "type": "text", "value": "origin" } ] }, { "type": "text", "value": " for the entirety of a single test." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "If you attempt to visit two different origins, the `cy.origin` command must be used to wrap Cypress commands of the second visited domain. Otherwise, Cypress commands will timeout after the navigation and will eventually error. This is because the commands that were expected to run on the second domain are actually being run on the first domain." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "Without `cy.origin()`, you can visit different origins in different tests, but not in the same test." } ] }, { "type": "heading", "depth": 4, "children": [ { "type": "text", "value": "Examples of test cases that will error without the use of `cy.origin`" } ] }, { "type": "list", "ordered": true, "start": 1, "spread": false, "children": [ { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "link", "title": null, "url": "/llm/markdown/api/commands/click.md", "children": [ { "type": "text", "value": "`.click()`" } ] }, { "type": "text", "value": " an `` with an `href` to a different origin with subsequent Cypress commands being run." } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "link", "title": null, "url": "/llm/markdown/api/commands/submit.md", "children": [ { "type": "text", "value": "`.submit()`" } ] }, { "type": "text", "value": " a `
` that causes your web server to redirect you to a different origin where additional Cypress commands are run." } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "Issue a JavaScript redirect in your application, such as `window.location.href = '...'`, which navigates to a different origin where additional Cypress commands are run." } ] } ] } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "In each of these situations, Cypress will lose the ability to automate your application and will error via command timeout unless the `cy.origin` command is used." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "Read on to learn about " }, { "type": "link", "title": null, "url": "#Common-Workarounds", "children": [ { "type": "text", "value": "working around these common problems" } ] }, { "type": "text", "value": "." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "Re-Enabling document.domain Injection" } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "As of Cypress " }, { "type": "link", "title": null, "url": "/llm/markdown/app/references/changelog.md#14-0-0", "children": [ { "type": "text", "value": "v14.0.0" } ] }, { "type": "text", "value": ", " }, { "type": "link", "title": null, "url": "https://developer.mozilla.org/en-US/docs/Web/API/Document/domain", "children": [ { "type": "text", "value": "`document.domain`" } ] }, { "type": "text", "value": " will no longer be injected into `text/html` pages by default." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "This means you must now use `cy.origin()` when navigating between different origins in the same test. Previously, `cy.origin()` was only necessary when navigating between different " }, { "type": "link", "title": null, "url": "/llm/markdown/app/guides/cross-origin-testing.md#Parts-of-a-URL", "children": [ { "type": "text", "value": "superdomains" } ] }, { "type": "text", "value": " in the same test." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "By setting the " }, { "type": "link", "title": null, "url": "/llm/markdown/app/references/configuration.md#injectDocumentDomain", "children": [ { "type": "text", "value": "injectDocumentDomain" } ] }, { "type": "text", "value": " configuration option to `true`, Cypress will attempt to inject `document.domain` into `text/html` pages." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "A superdomain is comprised of the trailing two elements of the hostname, delimited by a `.` (period). Given `https://www.cypress.io`, the superdomain is determined to be `cypress.io`. When this option is enabled, `cy.origin()` is not necessary when navigating between `https://www.cypress.io` and `https://docs.cypress.io`, but is necessary when navigating between `https://www.cypress.io` and `https://www.auth0.com`." } ] }, { "type": "list", "ordered": false, "start": null, "spread": false, "children": [ { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "This will cause issues with certain sites, especially those that use " }, { "type": "link", "title": null, "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin-Agent-Cluster", "children": [ { "type": "text", "value": "origin-keyed agent cluster" } ] }, { "type": "text", "value": "s." } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "This option is deprecated, and will be removed in a future version of Cypress." } ] } ] } ] }, { "type": "heading", "depth": 4, "children": [ { "type": "text", "value": "Parts of a URL" } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "We understand this is a bit complicated to understand, so we have built a nifty chart to help clarify the differences!" } ] }, { "type": "heading", "depth": 5, "children": [ { "type": "text", "value": "Origin" } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "An `origin` is comprised of a URL's `scheme`, `hostname`, and `port`. Given the URLs below, all have the same origin compared to `https://www.cypress.io`:" } ] }, { "type": "list", "ordered": false, "start": null, "spread": false, "children": [ { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "`https://www.cypress.io/cloud`" } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "`https://www.cypress.io/app`" } ] } ] } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "But the following have different origins compared to `https://www.cypress.io`:" } ] }, { "type": "list", "ordered": false, "start": null, "spread": false, "children": [ { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "`http://www.cypress.io` (different `scheme`)" } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "`https://docs.cypress.io` (different `hostname` due to the subdomain)" } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "`https://www.auth0.com` (different `hostname`)" } ] } ] }, { "type": "listItem", "spread": false, "checked": null, "children": [ { "type": "paragraph", "children": [ { "type": "text", "value": "`https://www.cypress.io:81` (different `port`)" } ] } ] } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "You cannot " }, { "type": "link", "title": null, "url": "/llm/markdown/api/commands/visit.md", "children": [ { "type": "text", "value": "visit" } ] }, { "type": "text", "value": " two different origins in the same test and continue to interact with the page without the use of the " }, { "type": "link", "title": null, "url": "/llm/markdown/api/commands/origin.md", "children": [ { "type": "text", "value": "`cy.origin()`" } ] }, { "type": "text", "value": " command." } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "You can " }, { "type": "link", "title": null, "url": "/llm/markdown/api/commands/visit.md", "children": [ { "type": "text", "value": "visit" } ] }, { "type": "text", "value": " two or more origins in different tests without needing " }, { "type": "link", "title": null, "url": "/llm/markdown/api/commands/origin.md", "children": [ { "type": "text", "value": "`cy.origin()`" } ] }, { "type": "text", "value": ". :::" } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "For practical purposes, this means the following:" } ] }, { "type": "code", "lang": null, "meta": null, "value": "// This test will run without errorit('navigates', () => { cy.visit('https://www.cypress.io') cy.visit('https://www.cypress.io/app') cy.get('selector') // yup all good})" }, { "type": "code", "lang": null, "meta": null, "value": "// this will error because the origin https://docs.cypress.io doesn't match the origin https://www.cypress.ioit('navigates', () => { cy.visit('https://www.cypress.io') cy.visit('https://docs.cypress.io') cy.get('selector')})" }, { "type": "paragraph", "children": [ { "type": "text", "value": "To fix the above cross-origin error, use `cy.origin()` to indicate which origin the sequential command should run against:" } ] }, { "type": "code", "lang": null, "meta": null, "value": "it('navigates', () => { cy.visit('https://example.cypress.io') cy.visit('https://docs.cypress.io') cy.origin('https://docs.cypress.io', () => { cy.get('selector') // yup all good })})" }, { "type": "code", "lang": null, "meta": null, "value": "it('navigates', () => { cy.visit('https://www.cypress.io')})// split visiting different origin in another testit('navigates to new origin', () => { cy.visit('https://cypress-dx.com') cy.get('selector') // yup all good})" }, { "type": "heading", "depth": 3, "children": [ { "type": "text", "value": "Cross-origin iframes" } ] }, { "type": "paragraph", "children": [ { "type": "text", "value": "If your site embeds an `