[🚀 Feature]: Add an option to remove "remote-allow-origins" from ChromeOptions

[gtach2o]

Feature and motivation

After this happend

    // Allowing any origin "*" might sound risky but an attacker would need to know
    // the port used to start DevTools to establish a connection. Given these sessions
    // are relatively short-lived, the risk is reduced. Also, this will be removed when
    // we only support Java 11 and above.
    addArguments("--remote-allow-origins=*");

our tests stoped working. We can't update to Selenium 4.8.2 or higher
We awlays use latest chrome driver, current is 112.0.5615.49
JDK native http client
Java 20
and everything was working fine until 4.8.2 released
{args=[--remote-allow-origins=*, is breaking our automation.
How to remove it from default chrome options? We don't need it.

Usage example

removeArguments("--remote-allow-origins=*");

[github-actions]

@gtach2o, thank you for creating this issue. We will troubleshoot it as soon as we can.

---

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

[diemol]

What error do you get?

[gtach2o]

What error do you get?

Well, there is no exact error I can share. Adding --remote-allow-origins=* in some way affects the iteraction with browser.
Next step after click fails, seems like synchronization doesn't work properly, Selenium doesn't wait properly for page loading.
When we swtich back to 4.8.1 everything works with no issue.

[gtach2o]

Maybe adding --remote-allow-origins=* does help when netty is still used.
But have you tested it with org.seleniumhq.selenium:selenium-http-jdk-client:4.8.2 and System.setProperty("webdriver.http.factory", "jdk-http-client"); ?

[titusfortner]

@diemol are we setting it based on the condition that system property is not set?

[gtach2o]

There is no condition
https://github.com/SeleniumHQ/selenium/blob/trunk/java/src/org/openqa/selenium/chromium/ChromiumOptions.java#L138

[gtach2o]

Actually our tests fail with

org.openqa.selenium.InvalidSelectorException: invalid selector: Unable to locate an element with the xpath expression 

And I have just noticed this
https://www.selenium.dev/blog/2023/invalid-selector-exception-has-changed/

The expected result before this change would be that the driver waits until the timeout expires and then throw an InvalidSelectorException.

This doesn’t make much sense because a broken/invalid selector would never fix itself, and hence should throw immediately.

Really? What about SPA when click can change DOM without page reload? The xpath is valid.

Please note that this may have an impact on backwards compatibility

Why it was released under 4.8.2 and not 5.0.0 ?

[gtach2o]

Got it working after adding InvalidSelectorException into catch
Tested with 4.9.0

• --remote-allow-origins=* doesn't affect jdk-http-client usage.

I was misled by the lots of important changes made in just a patch release.

Thank you everyone!

[titusfortner]

1. We do not do semantic versioning because there are too many different changes that need to be made in different languages
2. That "breaking change" was a bug fix not a feature change. If you get InvalidSelectorException you will never locate an element with it, regardless of page changes. This is why we changed the error; important information about your code was being hidden by an unrelated error.

[titusfortner]

I'm going to reopen this because I still think we should consider only setting that value if users are using the old http client.
We can close once we decide if we want to do that or not.