fix: Browser will freeze when sync request is intercepted

cli/CHANGELOG.md

@@ -10,6 +10,7 @@ _Released 12/16/2025 (PENDING)_
 **Bugfixes:**
 
 - Fixed an issue where a EPIPE error shows up after CTRL+C is done in terminal. Fixes [#30659](https://github.com/cypress-io/cypress/issues/30659). Addressed in [#32873](https://github.com/cypress-io/cypress/pull/32873).
+- Fixed an issue where the browser would freeze when Cypress intercepts a synchronous XHR request and a `routeHandler` is used. Fixes [#32874](https://github.com/cypress-io/cypress/issues/32874). Addressed in [#32925](https://github.com/cypress-io/cypress/pull/32925).
 
 ## 15.7.1
 

packages/data-context/schemas/schema.graphql

@@ -1224,6 +1224,9 @@ enum ErrorTypeEnum {
   SETUP_NODE_EVENTS_INVALID_EVENT_NAME_ERROR
   SETUP_NODE_EVENTS_IS_NOT_FUNCTION
   SUPPORT_FILE_NOT_FOUND
+  SYNCHRONOUS_XHR_REQUEST_COOKIES_NOT_APPLIED
+  SYNCHRONOUS_XHR_REQUEST_COOKIES_NOT_SET
+  SYNCHRONOUS_XHR_REQUEST_NOT_INTERCEPTED
   TESTING_TYPE_NOT_CONFIGURED
   TESTS_DID_NOT_START_FAILED
   TESTS_DID_NOT_START_RETRYING

packages/driver/cypress/e2e/commands/net_stubbing.cy.ts

@@ -335,6 +335,147 @@ describe('network stubbing', { retries: 15 }, function () {
       })
     })
 
+    it('does not intercept an XHR sync request with a route handler', () => {
+      cy.intercept('/', {
+        body: `
+          <!DOCTYPE html>
+          <html>
+          <body>
+            <div id="sync_response"></div>
+            <div id="async_response"></div>
+            <script>
+              const xhr = new window.XMLHttpRequest()
+              xhr.open('GET', '/fixtures/valid.json', false)
+              xhr.send()
+              document.querySelector('#sync_response').innerHTML = JSON.stringify(JSON.parse(xhr.responseText))
+
+              const xhr2 = new window.XMLHttpRequest()
+              xhr2.open('GET', '/async', true)
+              xhr2.onload = () => {
+                document.querySelector('#async_response').innerHTML = xhr2.responseText
+              }
+              xhr2.send()
+            </script>
+          </body>
+          </html>
+        `,
+      })
+
+      // this intercept won't get hit because the request is sync
+      cy.intercept('/fixtures/valid.json', () => {}).as('sync')
+
+      // this intercept will get hit because the request is async
+      cy.intercept('/async', (req) => {
+        req.reply({ body: 'async' })
+      }).as('async')
+
+      cy.visit('/')
+      cy.get('#sync_response').should('contain', '{"foo":1,"bar":{"baz":"cypress"}}')
+      cy.get('#async_response').should('contain', 'async')
+      cy.wait('@async')
+    })
+
+    it('does not intercept a cross-origin XHR sync request with a route handler', { browser: '!webkit' }, () => {
+      cy.intercept('http://www.foobar.com:3500/', {
+        body: `
+          <!DOCTYPE html>
+          <html>
+          <body>
+            <div id="sync_response"></div>
+            <div id="async_response"></div>
+            <script>
+              const xhr = new window.XMLHttpRequest()
+              xhr.open('GET', '/fixtures/valid.json', false)
+              xhr.send()
+              document.querySelector('#sync_response').innerHTML = JSON.stringify(JSON.parse(xhr.responseText))
+
+              const xhr2 = new window.XMLHttpRequest()
+              xhr2.open('GET', '/async', true)
+              xhr2.onload = () => {
+                document.querySelector('#async_response').innerHTML = xhr2.responseText
+              }
+              xhr2.send()
+            </script>
+          </body>
+          </html>
+        `,
+      })
+
+      // this intercept won't get hit because the request is sync
+      cy.intercept('http://www.foobar.com:3500/fixtures/valid.json', (req) => {
+        req.reply({ body: '' })
+      })
+
+      // this intercept will get hit because the request is async
+      cy.intercept('http://www.foobar.com:3500/async', (req) => {
+        req.reply({ body: 'async' })
+      }).as('async')
+
+      cy.origin('http://www.foobar.com:3500', () => {
+        cy.visit('http://www.foobar.com:3500/')
+        cy.get('#sync_response').should('contain', '{"foo":1,"bar":{"baz":"cypress"}}')
+        cy.get('#async_response').should('contain', 'async')
+      })
+
+      cy.wait('@async')
+    })
+
+    it('intercepts a sync XHR request from a Worker with a route handler', () => {
+      cy.intercept('/', {
+        body: `
+          <!DOCTYPE html>
+          <html>
+          <body>
+            <div id="sync_response"></div>
+            <div id="async_response"></div>
+            <script>
+              const workerScript = \`
+                const xhr = new XMLHttpRequest()
+                xhr.open('GET', 'http://localhost:3500/fixtures/valid.json', false)
+                xhr.send()
+                postMessage({ type: 'sync', data: JSON.stringify(JSON.parse(xhr.responseText)) })
+
+                const xhr2 = new XMLHttpRequest()
+                xhr2.open('GET', 'http://localhost:3500/async', true)
+                xhr2.onload = () => {
+                  postMessage({ type: 'async', data: xhr2.responseText })
+                }
+                xhr2.send()
+              \`
+              const blob = new Blob([workerScript], { type: 'application/javascript' })
+              const workerURL = URL.createObjectURL(blob)
+              const worker = new Worker(workerURL)
+
+              worker.onmessage = (m) => {
+                if (m.data.type === 'sync') {
+                  document.querySelector('#sync_response').innerHTML = m.data.data
+                } else if (m.data.type === 'async') {
+                  document.querySelector('#async_response').innerHTML = m.data.data
+                }
+              }
+            </script>
+          </body>
+          </html>
+        `,
+      })
+
+      // this intercept will get hit because the sync XHR request is sent from the worker
+      cy.intercept('http://localhost:3500/fixtures/valid.json', (req) => {
+        req.reply({ body: '{"foo":"bar"}' })
+      }).as('sync')
+
+      // this intercept will get hit because the request is async
+      cy.intercept('http://localhost:3500/async', (req) => {
+        req.reply({ body: 'async' })
+      }).as('async')
+
+      cy.visit('/')
+      cy.get('#sync_response').should('contain', '{"foo":"bar"}')
+      cy.get('#async_response').should('contain', 'async')
+      cy.wait('@sync')
+      cy.wait('@async')
+    })
+
     context('overrides', function () {
       it('chains middleware with string matcher as expected', function () {
         const e: string[] = []

packages/driver/cypress/e2e/e2e/origin/cookie_misc.cy.ts

@@ -38,6 +38,63 @@ describe('misc cookie tests', { browser: '!webkit' }, () => {
     })
   })
 
+  it('cookies are not set for XHR sync requests', { browser: '!webkit' }, () => {
+    // this intercept won't get hit because the request is sync
+    cy.intercept('http://www.foobar.com:3500/set-cookie*', (req) => {
+      req.reply({
+        headers: {
+          'set-cookie': 'SYNC_COOKIE=sync',
+        },
+        body: '',
+      })
+    })
+
+    cy.intercept('http://www.foobar.com:3500/async', {
+      headers: {
+        'set-cookie': 'ASYNC_COOKIE=async',
+      },
+      body: '',
+    }).as('async')
+
+    cy.visit('http://localhost:3500/fixtures/empty.html')
+    cy.origin('http://www.foobar.com:3500', () => {
+      cy.visit('http://www.foobar.com:3500/')
+      cy.window().then((win) => {
+        const xhr = new win.XMLHttpRequest()
+
+        xhr.open('GET', '/set-cookie?cookie=foo=bar', false)
+        xhr.send()
+
+        const xhr2 = new win.XMLHttpRequest()
+
+        xhr2.open('GET', '/async', true)
+        xhr2.send()
+      })
+    })
+
+    // cy.getAllCookies does not wait for the cookies to be set, so we need to wait manually
+    cy.wait(500)
+
+    // only the ASYNC_COOKIE=async cookie will be set
+    // SYNC_COOKIE=sync is not set because the intercept is not hit
+    // foo=bar is not set because the request is sync and we are not able to sync the cookie with the automation
+    cy.getAllCookies().then((cookies) => {
+      expect(cookies).to.have.length(1)
+      expect(cookies[0]).to.deep.equal({
+        name: 'ASYNC_COOKIE',
+        value: 'async',
+        domain: 'www.foobar.com',
+        path: '/',
+        httpOnly: false,
+        hostOnly: true,
+        secure: false,
+        sameSite: 'lax',
+      })
+    })
+
+    cy.wait('@async')
+  })
+
   /**
    * FIXES:
    * https://github.com/cypress-io/cypress/issues/25205 (cookies set with expired time with value deleted show up as set with value deleted)

packages/driver/src/cross-origin/cypress.ts

@@ -22,8 +22,8 @@ import { handleTestEvents } from './events/test'
 import { handleMiscEvents } from './events/misc'
 import { handleUnsupportedAPIs } from './unsupported_apis'
 import { patchFormElementSubmit } from './patches/submit'
-import { patchFetch } from '@packages/runner/injection/patches/fetch'
-import { patchXmlHttpRequest } from '@packages/runner/injection/patches/xmlHttpRequest'
+import { patchFetch } from '@packages/runner/injection/patches/cross-origin/fetch'
+import { patchXmlHttpRequest } from '@packages/runner/injection/patches/cross-origin/xmlHttpRequest'
 
 import $Mocha from '../cypress/mocha'
 

packages/errors/src/errors.ts

@@ -1561,6 +1561,21 @@ export const AllCypressErrors = {
     ${fmt.highlightSecondary(error)}
     `
   },
+  SYNCHRONOUS_XHR_REQUEST_NOT_INTERCEPTED: (url: string) => {
+    return errTemplate`\
+        Warning: Synchronous XHR request was not intercepted: ${fmt.url(url)}. Learn more: ${fmt.url('https://on.cypress.io/synchronous-xhr-requests')}
+      `
+  },
+  SYNCHRONOUS_XHR_REQUEST_COOKIES_NOT_APPLIED: (url: string) => {
+    return errTemplate`\
+        Warning: Cookies may not have been applied to synchronous XHR request: ${fmt.url(url)}. Learn more: ${fmt.url('https://on.cypress.io/synchronous-xhr-requests')}
+      `
+  },
+  SYNCHRONOUS_XHR_REQUEST_COOKIES_NOT_SET: (url: string) => {
+    return errTemplate`\
+        Warning: Cookies may not have been set for synchronous XHR response: ${fmt.url(url)}. Learn more: ${fmt.url('https://on.cypress.io/synchronous-xhr-requests')}
+      `
+  },
 } as const
 
 const _typeCheck: Record<keyof AllCypressErrorObj, (...args: any[]) => ErrTemplateResult> = AllCypressErrors

packages/errors/test/__snapshots__/SYNCHRONOUS_XHR_REQUEST_COOKIES_NOT_APPLIED.ansi

@@ -0,0 +1,2 @@
+Warning: Cookies may not have been applied to synchronous XHR request: http://localhost:8080. Learn more: https://on.cypress.io/synchronous-xhr-requests
+

packages/errors/test/__snapshots__/SYNCHRONOUS_XHR_REQUEST_COOKIES_NOT_SET.ansi

@@ -0,0 +1,2 @@
+Warning: Cookies may not have been set for synchronous XHR response: http://localhost:8080. Learn more: https://on.cypress.io/synchronous-xhr-requests
+

packages/errors/test/__snapshots__/SYNCHRONOUS_XHR_REQUEST_NOT_INTERCEPTED.ansi

@@ -0,0 +1,2 @@
+Warning: Synchronous XHR request was not intercepted: http://localhost:8080. Learn more: https://on.cypress.io/synchronous-xhr-requests
+

packages/errors/test/visualSnapshotErrors.spec.ts

@@ -1121,5 +1121,20 @@ describe('visual error templates', () => {
         default: [],
       }
     },
+    SYNCHRONOUS_XHR_REQUEST_NOT_INTERCEPTED: () => {
+      return {
+        default: ['http://localhost:8080'],
+      }
+    },
+    SYNCHRONOUS_XHR_REQUEST_COOKIES_NOT_APPLIED: () => {
+      return {
+        default: ['http://localhost:8080'],
+      }
+    },
+    SYNCHRONOUS_XHR_REQUEST_COOKIES_NOT_SET: () => {
+      return {
+        default: ['http://localhost:8080'],
+      }
+    },
   })
 })

packages/net-stubbing/lib/server/intercepted-request.ts

@@ -13,6 +13,7 @@ import type { BackendRoute, NetStubbingState } from './types'
 import { emit, sendStaticResponse } from './util'
 import type CyServer from '@packages/server'
 import type { BackendStaticResponse } from '../internal-types'
+import * as errors from '@packages/errors'
 
 export class InterceptedRequest {
   id: string
@@ -77,6 +78,14 @@ export class InterceptedRequest {
         continue
       }
 
+      // if the request is sync and the route has an interceptor (i.e. routeHandler), then skip the intercept
+      // because the we cannot wait on the before:request event when the sync request is blocking
+      if (this.req.isSyncRequest && route.hasInterceptor) {
+        errors.warning('SYNCHRONOUS_XHR_REQUEST_NOT_INTERCEPTED', this.req.proxiedUrl)
+
+        continue
+      }
+
       const subscriptionsByRoute = {
         routeId: route.id,
         immediateStaticResponse: route.staticResponse,

packages/net-stubbing/package.json

@@ -23,6 +23,7 @@
     "throttle": "^1.0.3"
   },
   "devDependencies": {
+    "@packages/errors": "0.0.0-development",
     "@packages/network": "0.0.0-development",
     "@packages/proxy": "0.0.0-development",
     "@packages/server": "0.0.0-development",

packages/proxy/lib/http/request-middleware.ts

@@ -11,6 +11,7 @@ import { doesTopNeedToBeSimulated } from './util/top-simulation'
 import type { HttpMiddleware } from './'
 import type { CypressIncomingRequest } from '../types'
 import { urlMatchesOriginProtectionSpace } from '@packages/network-tools'
+import * as errors from '@packages/errors'
 
 // do not use a debug namespace in this file - use the per-request `this.debug` instead
 // available as cypress-verbose:proxy:http
@@ -34,11 +35,16 @@ const ExtractCypressMetadataHeaders: RequestMiddleware = function () {
 
   this.req.isAUTFrame = !!this.req.headers['x-cypress-is-aut-frame']
   this.req.isFromExtraTarget = !!this.req.headers['x-cypress-is-from-extra-target']
+  this.req.isSyncRequest = !!this.req.headers['x-cypress-is-sync-request']
 
   if (this.req.headers['x-cypress-is-aut-frame']) {
     delete this.req.headers['x-cypress-is-aut-frame']
   }
 
+  if (this.req.headers['x-cypress-is-sync-request']) {
+    delete this.req.headers['x-cypress-is-sync-request']
+  }
+
   span?.setAttributes({
     isAUTFrame: this.req.isAUTFrame,
     isFromExtraTarget: this.req.isFromExtraTarget,
@@ -220,6 +226,10 @@ const MaybeAttachCrossOriginCookies: RequestMiddleware = function () {
     return this.next()
   }
 
+  if (this.req.isSyncRequest) {
+    errors.warning('SYNCHRONOUS_XHR_REQUEST_COOKIES_NOT_APPLIED', this.req.proxiedUrl)
+  }
+
   // Top needs to be simulated since the AUT is in a cross origin state. Get the "requested with" and credentials and see what cookies need to be attached
   const currentAUTUrl = this.getAUTUrl()
   const shouldCookiesBeAttachedToRequest = shouldAttachAndSetCookies(this.req.proxiedUrl, currentAUTUrl, this.req.resourceType, this.req.credentialsLevel, this.req.isAUTFrame)

packages/proxy/lib/http/response-middleware.ts

@@ -15,6 +15,7 @@ import { hasServiceWorkerHeader, isVerboseTelemetry as isVerbose } from '.'
 import { CookiesHelper } from './util/cookies'
 import * as rewriter from './util/rewriter'
 import { doesTopNeedToBeSimulated } from './util/top-simulation'
+import * as errors from '@packages/errors'
 
 import type Debug from 'debug'
 import type { CookieOptions } from 'express'
@@ -719,6 +720,17 @@ const MaybeCopyCookiesFromIncomingRes: ResponseMiddleware = async function () {
     return this.next()
   }
 
+  // if the request is sync, we cannot wait on the cross:origin:cookies:received
+  // event since the sync request is blocking. This means that the cross-origin cookies
+  // may not have been applied.
+  if (this.req.isSyncRequest) {
+    errors.warning('SYNCHRONOUS_XHR_REQUEST_COOKIES_NOT_SET', this.req.proxiedUrl)
+
+    span?.end()
+
+    return this.next()
+  }
+
   // we want to set the cookies via automation so they exist in the browser
   // itself. however, firefox will hang if we try to use the extension
   // to set cookies on a url that's in-flight, so we send the cookies down to

packages/proxy/lib/types.ts

@@ -28,6 +28,7 @@ export type CypressIncomingRequest = Request & {
    * Stack-ordered list of `cy.intercept()`s matching this request.
    */
   matchingRoutes?: BackendRoute[]
+  isSyncRequest: boolean
 }
 
 export type RequestCredentialLevel = 'same-origin' | 'include' | 'omit' | boolean