fix: Browser will freeze when sync request is intercepted

[alexsch01]

• Closes Browser will freeze when sync request is intercepted #32874

This issue happens when a synchronous request is intercepted and the routeHandler argument to cy.intercept is given

---

The second part of this PR (prevent cross origin cookies from breaking sync requests)

• prevents the browser from freezing when a sync request is made through the cross origin runner

---

Additional details

---

Note

Avoids freezing by not intercepting synchronous XHRs with route handlers and adds warnings for sync XHR interception/cookie caveats across proxy and runner.

• Network/Proxy:
  • Skip cy.intercept() for synchronous XHRs with a routeHandler (intercepted-request.ts); emit warning SYNCHRONOUS_XHR_REQUEST_NOT_INTERCEPTED.
  • Detect sync XHR via x-cypress-is-sync-request header; plumb through request pipeline (request-middleware.ts, types.ts).
  • Warn when cross-origin cookies may not be applied/set for sync XHRs in request/response middleware.
• Runner Injection:
  • Patch XHR in both primary and cross-origin injections to set x-cypress-is-sync-request and avoid awaiting credentials for sync requests; reorganize patches under patches/cross-origin/*.
• Errors/Schema:
  • Add new warnings: SYNCHRONOUS_XHR_REQUEST_NOT_INTERCEPTED, SYNCHRONOUS_XHR_REQUEST_COOKIES_NOT_APPLIED, SYNCHRONOUS_XHR_REQUEST_COOKIES_NOT_SET (errors, snapshots, GraphQL enum).
• Tests:
  • Add e2e tests for sync XHR interception behavior (including worker and cross-origin) and cookie behavior; update system tests to assert terminal warnings; unit tests for new header handling.
• Misc:
  • Update CHANGELOG with bugfix; adjust import paths; add @packages/errors devDependency in net-stubbing.

^{Written by Cursor Bugbot for commit 8526514. This will update automatically on new commits. Configure here.}

Steps to test

Verify intercepted synchronous XHR requests with a routeHandler no longer cause the browser to hang.
Verify a synchronous XHR request from within a cy.origin block and a set-cookie in the response no longer cause the browser to hang.

How has the user experience changed?

The browser no longer hangs with synchronous XHR requests.

PR Tasks

• Have tests been added/updated?
• Has a PR for user-facing changes been opened in cypress-documentation? doc: add docs for synchronous XHR requests cypress-documentation#6332
• [na] Have API changes been updated in the type definitions?

[cypress-app-bot]

• Create a Draft Pull Request if your PR is not ready for review. Mark the PR as Ready for Review when you're ready for a Cypress team member to review the PR.

[mschile]

Hi @alexsch01 👋🏼, thanks for opening this PR! Just to make sure I understand the proposed changes, this would resolve the freezing issue but the routeHandler of the intercepted request would not be executed. Is my understanding correct?

[alexsch01]

Hi @alexsch01 👋🏼, thanks for opening this PR! Just to make sure I understand the proposed changes, this would resolve the freezing issue but the routeHandler of the intercepted request would not be executed. Is my understanding correct?

The routeHandler is executed but the request that goes to the server won't be modified

req.headers["foo"] = "bar"

The server will not get this since it's not resolved, but anything you console.log in the routeHandler will print in DevTools console

[mschile]

Ok, I see the before:request event is still emitted but since this is a sync request, the event is received after the sync request has already been fully processed. I'm going to discuss this further with the team but my initial thought is that we should skip the adding the subscriptions entirely here.

[alexsch01]

The second part of the fix (7b4f2e7) fixes a freezing issue when there's a sync request in cy.origin block

The downside is cross-origin cookies most likely won't work in this case

In cases where you must use cy.origin due to navigating to a different subdomain, this allows the test to work as expected when there's a sync request

[mschile]

Thanks for cross origin explanation. I'll have to look into it further.

[mschile]

@alexsch01, I discussed this PR with the rest of the team and we are good with proceeding. We should skip adding the subscriptions entirely here so the routeHandler won't get run. We would also like to log out some warnings to the terminal to inform the user that the sync request was not intercepted and for the cross-origin case that cookies may not have been applied.

[alexsch01]

@mschile I skipped adding the subscriptions entirely for sync requests and added the 2 warnings

Let me know how that looks

[alexsch01]

Looks good overall! Made a few changes. Let's go ahead and add some unit and e2e tests.

made some tests, your changes look good

[AtofStryker]

I don't think we need to fully patch XMLHttpRequest in the main injection code as we do in the cross-origin code. if we need to detect a sync request in the main injection, we likely want to create a partial patch as well as add documentation in the code as to why we are patching the main injection code because right now that is not entirely obvious.

[AtofStryker]

So I completely misread the diff where the patches got moved, so the main injection patch really is simple like we need. My fault on that! Rest of the PR looks good on my end

[alexsch01]

@mschile in firefox for the driver cookie_misc test, the sync cookie is set so the length of cookies array is 2
Doesn't happen in Chrome

[mschile]

@mschile in firefox for the driver cookie_misc test, the sync cookie is set so the length of cookies array is 2 Doesn't happen in Chrome

Yep, I'm updating the test since Firefox does indeed get the cookie.

[alexsch01]

Thank you guys so much on working with me on this!

I just tested the pre-release and it works perfectly