Html UI report without enable same-origin assets #6661
Description
Clear and concise description of the problem
As of now, html report has such markup:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<link rel="icon" href="./favicon.ico" sizes="48x48">
<link rel="icon" href="./favicon.svg" sizes="any" type="image/svg+xml">
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Vitest</title>
<link rel="preconnect" href="https://fonts.googleapis.com" />
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
<link
href="https://fonts.googleapis.com/css2?family=Readex+Pro:wght@300;400&display=swap"
rel="stylesheet"
/>
<script>
(function () {
const prefersDark =
window.matchMedia &&
window.matchMedia("(prefers-color-scheme: dark)").matches;
const setting = localStorage.getItem("vueuse-color-scheme") || "auto";
if (setting === "dark" || (prefersDark && setting !== "light"))
document.documentElement.classList.toggle("dark", true);
})();
</script>
<!-- !LOAD_METADATA! -->
<script type="module" crossorigin src="./assets/index-DsWp6aFQ.js"></script>
<link rel="stylesheet" crossorigin href="./assets/index-D5rK8X7L.css">
</head>
<body>
<div id="app"></div>
</body>
</html>It always contain crossorigin attribute, which enables same-origin policy.
When we upload generated report for every url in our artifact storage, it returns every response with SSO checks (location header). And this breaks this report (blank page, FF shows Cross-Origin violation for same origin policy)
Suggested solution
Honestly i do not completely understand why for html report we need crossorigin checks. Nobody share them in internet and it does not look like it make it any way secure as it is completely generated.
To keep it backward compatible as i cannot imagine every possible usecase, can we allow via settings disable crossorign attribute addition?
Alternative
No response
Additional context
No response
Validations
- Follow our Code of Conduct
- Read the Contributing Guidelines.
- Read the docs.
- Check that there isn't already an issue that request the same feature to avoid creating a duplicate.