I am building a Cypress test that logs into my application using @msal-browser PKCE authentication against an Azure B2C tenant which is on a different domain and this is causing x-frame issues for me:
Refused to display 'https://somecrossdomainurl/oauth' in a frame because it set 'X-Frame-Options' to 'deny'.
I realize that cross-domain tests are against Cypress login best practices - however, my authentication method is using PKCE and not an implicit grant flow so I can't get a token on the side without browser interaction. Additionally, the mild risk of flakiness is a tradeoff I'm willing to make for a live integration test that actually logs into my application.
I have used the proposed workaround by installing a third-party extension to ignore X-Frame headers and it's working great. The problem comes when I'm try to run it in --headless
mode. Chrome does not allow extensions to be installed in headless mode so the work-around really isn't tenable for a CI environment.
Outside of stubbing auth, I'm at a loss on how to approach this. Given the known vulnerabilities of implicit flow and the rise of PKCE, it feels there should be an option to handle this within Cypress. I'm relatively new to Cypress so surely I'm missing something easy?