fix: rewrite top.window.location as self.window.location. This is done under modifyObstructiveCode flag (#31688)

Author: AtofStryker

.circleci/workflows.yml

@@ -38,7 +38,7 @@ mainBuildFilters: &mainBuildFilters
         - /^release\/\d+\.\d+\.\d+$/
         # use the following branch as well to ensure that v8 snapshot cache updates are fully tested
         - 'update-v8-snapshot-cache-on-develop'
-        - 'feat/add_webpack_bundle_analyzer'
+        - 'fix/top_framebust_window_location'
 
 # usually we don't build Mac app - it takes a long time
 # but sometimes we want to really confirm we are doing the right thing
@@ -49,7 +49,7 @@ macWorkflowFilters: &darwin-workflow-filters
       - equal: [ develop, << pipeline.git.branch >> ]
       # use the following branch as well to ensure that v8 snapshot cache updates are fully tested
       - equal: [ 'update-v8-snapshot-cache-on-develop', << pipeline.git.branch >> ]
-      - equal: [ 'feat/add_webpack_bundle_analyzer', << pipeline.git.branch >> ]
+      - equal: [ 'fix/top_framebust_window_location', << pipeline.git.branch >> ]
       - matches:
           pattern: /^release\/\d+\.\d+\.\d+$/
           value: << pipeline.git.branch >>
@@ -60,7 +60,7 @@ linuxArm64WorkflowFilters: &linux-arm64-workflow-filters
       - equal: [ develop, << pipeline.git.branch >> ]
       # use the following branch as well to ensure that v8 snapshot cache updates are fully tested
       - equal: [ 'update-v8-snapshot-cache-on-develop', << pipeline.git.branch >> ]
-      - equal: [ 'feat/add_webpack_bundle_analyzer', << pipeline.git.branch >> ]
+      - equal: [ 'fix/top_framebust_window_location', << pipeline.git.branch >> ]
       - matches:
           pattern: /^release\/\d+\.\d+\.\d+$/
           value: << pipeline.git.branch >>
@@ -83,7 +83,7 @@ windowsWorkflowFilters: &windows-workflow-filters
       - equal: [ develop, << pipeline.git.branch >> ]
       # use the following branch as well to ensure that v8 snapshot cache updates are fully tested
       - equal: [ 'update-v8-snapshot-cache-on-develop', << pipeline.git.branch >> ]
-      - equal: [ 'feat/add_webpack_bundle_analyzer', << pipeline.git.branch >> ]
+      - equal: [ 'fix/top_framebust_window_location', << pipeline.git.branch >> ]
       - matches:
           pattern: /^release\/\d+\.\d+\.\d+$/
           value: << pipeline.git.branch >>
@@ -157,7 +157,7 @@ commands:
           name: Set environment variable to determine whether or not to persist artifacts
           command: |
             echo "Setting SHOULD_PERSIST_ARTIFACTS variable"
-            echo 'if ! [[ "$CIRCLE_BRANCH" != "develop" && "$CIRCLE_BRANCH" != "release/"* && "$CIRCLE_BRANCH" != "feat/add_webpack_bundle_analyzer" ]]; then
+            echo 'if ! [[ "$CIRCLE_BRANCH" != "develop" && "$CIRCLE_BRANCH" != "release/"* && "$CIRCLE_BRANCH" != "fix/top_framebust_window_location" ]]; then
                 export SHOULD_PERSIST_ARTIFACTS=true
             fi' >> "$BASH_ENV"
   # You must run `setup_should_persist_artifacts` command and be using bash before running this command

cli/CHANGELOG.md

@@ -10,6 +10,7 @@ _Released 5/20/2025 (PENDING)_
 **Bugfixes:**
 
 - Fixed an issue with the experimental usage of WebKit where Cypress incorrectly displayed `0` as the WebKit version. Addresses [#31684](https://github.com/cypress-io/cypress/issues/31684).
+- Fixed an issue where framebusting was occurring when `top.window.location` was being set explicitly. This fix does not require the `experimentalModifyObstructiveThirdPartyCode` configuration option. Addresses [#31687](https://github.com/cypress-io/cypress/issues/31687).
 
 **Misc:**
 

packages/proxy/lib/http/util/regex-rewriter.ts

@@ -12,6 +12,9 @@ const topOrParentEqualityAfterRe = /(top|parent)((?:["']\])?\s*[!=]==?\s*(?:\bwi
 const topOrParentExpandedEqualityBeforeRe = /((?:\bwindow\b|\bself\b|\b[a-zA-z]\.\b)(?:\.|\[['"](?:top|self)['"]\])?\s*[!=]==?\s*(?:(?:window|self|[a-zA-z])(?:\.|\[['"]))?)(top|parent)(?![\w])/g
 const topOrParentExpandedEqualityAfterRe = /(top|parent)((?:["']\])?\s*[!=]==?\s*(?:\bwindow\b|\b(?:[a-zA-z]\.)?self\b))/g
 
+// outright frame busting with top.window.location = 'https://www.foobar.com'
+const topWindowLocationRe = /(top)(\.window\.location\s?=)/g
+
 const topOrParentLocationOrFramesRe = /([^\da-zA-Z\(\)])?(\btop\b|\bparent\b)([.])(\blocation\b|\bframes\b)/g
 
 const jiraTopWindowGetterRe = /(!function\s*\((\w{1})\)\s*{\s*return\s*\w{1}\s*(?:={2,})\s*\w{1}\.parent)(\s*}\(\w{1}\))/g
@@ -38,6 +41,7 @@ export function strip (html: string, { modifyObstructiveThirdPartyCode }: Partia
   .replace(topOrParentLocationOrFramesRe, '$1self$3$4')
   .replace(jiraTopWindowGetterRe, '$1 || $2.parent.__Cypress__$3')
   .replace(jiraTopWindowGetterUnMinifiedRe, '$1 || $2.parent.__Cypress__$3')
+  .replace(topWindowLocationRe, 'self$2')
 
   if (modifyObstructiveThirdPartyCode) {
     rewrittenHTML = rewrittenHTML.replace(javaScriptIntegrityReplacementRe, `['${STRIPPED_INTEGRITY_TAG}']$2`)
@@ -59,6 +63,7 @@ export function stripStream ({ modifyObstructiveThirdPartyCode }: Partial<Securi
         topOrParentLocationOrFramesRe,
         jiraTopWindowGetterRe,
         jiraTopWindowGetterUnMinifiedRe,
+        topWindowLocationRe,
         ...(modifyObstructiveThirdPartyCode ? [
           javaScriptIntegrityReplacementRe,
           generalIntegrityReplacementRe,
@@ -70,6 +75,7 @@ export function stripStream ({ modifyObstructiveThirdPartyCode }: Partial<Securi
         '$1self$3$4',
         '$1 || $2.parent.__Cypress__$3',
         '$1 || $2.parent.__Cypress__$3',
+        'self$2',
         ...(modifyObstructiveThirdPartyCode ? [
           `['${STRIPPED_INTEGRITY_TAG}']$2`,
           `${STRIPPED_INTEGRITY_TAG}$3`,

packages/proxy/test/unit/http/util/regex-rewriter.spec.ts

@@ -82,6 +82,7 @@ const original = `\
       if (fooparent===selfVar) return
       if (loadStop===windowFile) return
       if (fooparent===windowFile) return
+      top.window.location='https://www.foobar.com'
     </script>
   </body>
 </html>\
@@ -163,6 +164,7 @@ const expected = `\
       if (fooparent===selfVar) return
       if (loadStop===windowFile) return
       if (fooparent===windowFile) return
+      self.window.location='https://www.foobar.com'
     </script>
   </body>
 </html>\