chore: client certificates api review (#31826)

docs/src/api/params.md

@@ -523,14 +523,17 @@ Does not enforce fixed viewport, allows resizing window in the headed mode.
 
 ## context-option-clientCertificates
 - `clientCertificates` <[Array]<[Object]>>
-  - `url` <[string]> Glob pattern to match the URLs that the certificate is valid for.
+  - `origin` <[string]> Glob pattern to match against the request origin that the certificate is valid for.
-  - `certs` <[Array]<[Object]>> List of client certificates to be used.
+  - `certPath` ?<[string]> Path to the file with the certificate in PEM format.
-    - `certPath` ?<[string]> Path to the file with the certificate in PEM format.
+  - `keyPath` ?<[string]> Path to the file with the private key in PEM format.
-    - `keyPath` ?<[string]> Path to the file with the private key in PEM format.
+  - `pfxPath` ?<[string]> Path to the PFX or PKCS12 encoded private key and certificate chain.
-    - `pfxPath` ?<[string]> Path to the PFX or PKCS12 encoded private key and certificate chain.
+  - `passphrase` ?<[string]> Passphrase for the private key (PEM or PFX).
-    - `passphrase` ?<[string]> Passphrase for the private key (PEM or PFX).
 
-An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the private key is encrypted. If the certificate is valid only for specific URLs, the `url` property should be provided with a glob pattern to match the URLs that the certificate is valid for.
+TLS Client Authentication allows the server to request a client certificate and verify it.
+
+**Details**
+
+An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the certficiate is encrypted. If the certificate is valid only for specific origins, the `origin` property should be provided with a glob pattern to match the origins that the certificate is valid for.
 
 :::note
 Using Client Certificates in combination with Proxy Servers is not supported.

docs/src/test-api/class-testoptions.md

@@ -148,22 +148,14 @@ export default defineConfig({
 import { defineConfig } from '@playwright/test';
 
 export default defineConfig({
-  projects: [
+  use: {
-    {
+    clientCertificates: [{
-      name: 'Microsoft Edge',
+      origin: 'https://example.com',
-      use: {
+      certPath: './cert.pem',
-        ...devices['Desktop Edge'],
+      keyPath: './key.pem',
-        clientCertificates: [{
+      passphrase: 'mysecretpassword',
-          url: 'https://example.com/**',
+    }],
-          certs: [{
+  },
-            certPath: './cert.pem',
-            keyPath: './key.pem',
-            passphrase: 'mysecretpassword',
-          }],
-        }],
-      },
-    },
-  ]
 });
 ```
 

packages/playwright-core/src/client/browserContext.ts

@@ -550,20 +550,16 @@ function toAcceptDownloadsProtocol(acceptDownloads?: boolean) {
   return 'deny';
 }
 
-export async function toClientCertificatesProtocol(clientCertificates?: BrowserContextOptions['clientCertificates']): Promise<channels.PlaywrightNewRequestParams['clientCertificates']> {
+export async function toClientCertificatesProtocol(certs?: BrowserContextOptions['clientCertificates']): Promise<channels.PlaywrightNewRequestParams['clientCertificates']> {
-  if (!clientCertificates)
+  if (!certs)
     return undefined;
-  return await Promise.all(clientCertificates.map(async clientCertificate => {
+  return await Promise.all(certs.map(async cert => {
     return {
-      url: clientCertificate.url,
+      origin: cert.origin,
-      certs: await Promise.all(clientCertificate.certs.map(async cert => {
+      cert: cert.certPath ? await fs.promises.readFile(cert.certPath) : undefined,
-        return {
+      key: cert.keyPath ? await fs.promises.readFile(cert.keyPath) : undefined,
-          cert: cert.certPath ? await fs.promises.readFile(cert.certPath) : undefined,
+      pfx: cert.pfxPath ? await fs.promises.readFile(cert.pfxPath) : undefined,
-          key: cert.keyPath ? await fs.promises.readFile(cert.keyPath) : undefined,
+      passphrase: cert.passphrase,
-          pfx: cert.pfxPath ? await fs.promises.readFile(cert.pfxPath) : undefined,
-          passphrase: cert.passphrase,
-        };
-      }))
     };
   }));
 }

packages/playwright-core/src/client/types.ts

@@ -48,13 +48,11 @@ export type LifecycleEvent = channels.LifecycleEvent;
 export const kLifecycleEvents: Set<LifecycleEvent> = new Set(['load', 'domcontentloaded', 'networkidle', 'commit']);
 
 export type ClientCertificate = {
-  url: string;
+  origin: string;
-  certs: {
+  certPath?: string;
-    certPath?: string;
+  keyPath?: string;
-    keyPath?: string;
+  pfxPath?: string;
-    pfxPath?: string;
+  passphrase?: string;
-    passphrase?: string;
-  }[];
 };
 
 export type BrowserContextOptions = Omit<channels.BrowserNewContextOptions, 'viewport' | 'noDefaultViewport' | 'extraHTTPHeaders' | 'clientCertificates' | 'storageState' | 'recordHar' | 'colorScheme' | 'reducedMotion' | 'forcedColors' | 'acceptDownloads'> & {

packages/playwright-core/src/protocol/validator.ts

@@ -337,13 +337,11 @@ scheme.PlaywrightNewRequestParams = tObject({
   ignoreHTTPSErrors: tOptional(tBoolean),
   extraHTTPHeaders: tOptional(tArray(tType('NameValue'))),
   clientCertificates: tOptional(tArray(tObject({
-    url: tString,
+    origin: tString,
-    certs: tArray(tObject({
+    cert: tOptional(tBinary),
-      cert: tOptional(tBinary),
+    key: tOptional(tBinary),
-      key: tOptional(tBinary),
+    passphrase: tOptional(tString),
-      passphrase: tOptional(tString),
+    pfx: tOptional(tBinary),
-      pfx: tOptional(tBinary),
-    })),
   }))),
   httpCredentials: tOptional(tObject({
     username: tString,
@@ -547,13 +545,11 @@ scheme.BrowserTypeLaunchPersistentContextParams = tObject({
   })),
   ignoreHTTPSErrors: tOptional(tBoolean),
   clientCertificates: tOptional(tArray(tObject({
-    url: tString,
+    origin: tString,
-    certs: tArray(tObject({
+    cert: tOptional(tBinary),
-      cert: tOptional(tBinary),
+    key: tOptional(tBinary),
-      key: tOptional(tBinary),
+    passphrase: tOptional(tString),
-      passphrase: tOptional(tString),
+    pfx: tOptional(tBinary),
-      pfx: tOptional(tBinary),
-    })),
   }))),
   javaScriptEnabled: tOptional(tBoolean),
   bypassCSP: tOptional(tBoolean),
@@ -635,13 +631,11 @@ scheme.BrowserNewContextParams = tObject({
   })),
   ignoreHTTPSErrors: tOptional(tBoolean),
   clientCertificates: tOptional(tArray(tObject({
-    url: tString,
+    origin: tString,
-    certs: tArray(tObject({
+    cert: tOptional(tBinary),
-      cert: tOptional(tBinary),
+    key: tOptional(tBinary),
-      key: tOptional(tBinary),
+    passphrase: tOptional(tString),
-      passphrase: tOptional(tString),
+    pfx: tOptional(tBinary),
-      pfx: tOptional(tBinary),
-    })),
   }))),
   javaScriptEnabled: tOptional(tBoolean),
   bypassCSP: tOptional(tBoolean),
@@ -706,13 +700,11 @@ scheme.BrowserNewContextForReuseParams = tObject({
   })),
   ignoreHTTPSErrors: tOptional(tBoolean),
   clientCertificates: tOptional(tArray(tObject({
-    url: tString,
+    origin: tString,
-    certs: tArray(tObject({
+    cert: tOptional(tBinary),
-      cert: tOptional(tBinary),
+    key: tOptional(tBinary),
-      key: tOptional(tBinary),
+    passphrase: tOptional(tString),
-      passphrase: tOptional(tString),
+    pfx: tOptional(tBinary),
-      pfx: tOptional(tBinary),
-    })),
   }))),
   javaScriptEnabled: tOptional(tBoolean),
   bypassCSP: tOptional(tBoolean),
@@ -2526,13 +2518,11 @@ scheme.AndroidDeviceLaunchBrowserParams = tObject({
   })),
   ignoreHTTPSErrors: tOptional(tBoolean),
   clientCertificates: tOptional(tArray(tObject({
-    url: tString,
+    origin: tString,
-    certs: tArray(tObject({
+    cert: tOptional(tBinary),
-      cert: tOptional(tBinary),
+    key: tOptional(tBinary),
-      key: tOptional(tBinary),
+    passphrase: tOptional(tString),
-      passphrase: tOptional(tString),
+    pfx: tOptional(tBinary),
-      pfx: tOptional(tBinary),
-    })),
   }))),
   javaScriptEnabled: tOptional(tBoolean),
   bypassCSP: tOptional(tBoolean),

packages/playwright-core/src/server/browserContext.ts

@@ -725,21 +725,17 @@ export function verifyGeolocation(geolocation?: types.Geolocation) {
 export function verifyClientCertificates(clientCertificates?: channels.BrowserNewContextParams['clientCertificates']) {
   if (!clientCertificates)
     return;
-  for (const { url, certs } of clientCertificates) {
+  for (const cert of clientCertificates) {
-    if (!url)
+    if (!cert.origin)
-      throw new Error(`clientCertificates.url is required`);
+      throw new Error(`clientCertificates.origin is required`);
-    if (!certs.length)
+    if (!cert.cert && !cert.key && !cert.passphrase && !cert.pfx)
-      throw new Error('No certs specified for url: ' + url);
+      throw new Error('None of cert, key, passphrase or pfx is specified');
-    for (const cert of certs) {
+    if (cert.cert && !cert.key)
-      if (!cert.cert && !cert.key && !cert.passphrase && !cert.pfx)
+      throw new Error('cert is specified without key');
-        throw new Error('None of cert, key, passphrase or pfx is specified');
+    if (!cert.cert && cert.key)
-      if (cert.cert && !cert.key)
+      throw new Error('key is specified without cert');
-        throw new Error('cert is specified without key');
+    if (cert.pfx && (cert.cert || cert.key))
-      if (!cert.cert && cert.key)
+      throw new Error('pfx is specified together with cert, key or passphrase');
-        throw new Error('key is specified without cert');
-      if (cert.pfx && (cert.cert || cert.key))
-        throw new Error('pfx is specified together with cert, key or passphrase');
-    }
   }
 }
 

packages/playwright-core/src/server/fetch.ts

@@ -193,7 +193,7 @@ export abstract class APIRequestContext extends SdkObject {
       maxRedirects: params.maxRedirects === 0 ? -1 : params.maxRedirects === undefined ? 20 : params.maxRedirects,
       timeout,
       deadline,
-      ...clientCertificatesToTLSOptions(this._defaultOptions().clientCertificates, requestUrl.toString()),
+      ...clientCertificatesToTLSOptions(this._defaultOptions().clientCertificates, requestUrl.origin),
       __testHookLookup: (params as any).__testHookLookup,
     };
     if (process.env.PWTEST_UNSUPPORTED_CUSTOM_CA && isUnderTest())
@@ -357,7 +357,7 @@ export abstract class APIRequestContext extends SdkObject {
             maxRedirects: options.maxRedirects - 1,
             timeout: options.timeout,
             deadline: options.deadline,
-            ...clientCertificatesToTLSOptions(this._defaultOptions().clientCertificates, url.toString()),
+            ...clientCertificatesToTLSOptions(this._defaultOptions().clientCertificates, url.origin),
             __testHookLookup: options.__testHookLookup,
           };
           // rejectUnauthorized = undefined is treated as true in node 12.

packages/playwright-core/src/server/socksClientCertificatesInterceptor.ts

@@ -97,7 +97,7 @@ class SocksProxyConnection {
         host: this.host,
         port: this.port,
         rejectUnauthorized: !this.socksProxy.ignoreHTTPSErrors,
-        ...clientCertificatesToTLSOptions(this.socksProxy.clientCertificates, `https://${this.host}:${this.port}/`),
+        ...clientCertificatesToTLSOptions(this.socksProxy.clientCertificates, `https://${this.host}:${this.port}`),
       };
       if (!net.isIP(this.host))
         tlsOptions.servername = this.host;
@@ -183,7 +183,7 @@ export function clientCertificatesToTLSOptions(
   const matchingCerts = clientCertificates?.filter(c => {
     let regex: RegExp | undefined = (c as any)[kClientCertificatesGlobRegex];
     if (!regex) {
-      regex = globToRegex(c.url);
+      regex = globToRegex(c.origin);
       (c as any)[kClientCertificatesGlobRegex] = regex;
     }
     regex.lastIndex = 0;
@@ -196,15 +196,13 @@ export function clientCertificatesToTLSOptions(
     key: [] as { pem: Buffer, passphrase?: string }[],
     cert: [] as Buffer[],
   };
-  for (const { certs } of matchingCerts) {
+  for (const cert of matchingCerts) {
-    for (const cert of certs) {
+    if (cert.cert)
-      if (cert.cert)
+      tlsOptions.cert.push(cert.cert);
-        tlsOptions.cert.push(cert.cert);
+    if (cert.key)
-      if (cert.key)
+      tlsOptions.key.push({ pem: cert.key, passphrase: cert.passphrase });
-        tlsOptions.key.push({ pem: cert.key, passphrase: cert.passphrase });
+    if (cert.pfx)
-      if (cert.pfx)
+      tlsOptions.pfx.push({ buf: cert.pfx, passphrase: cert.passphrase });
-        tlsOptions.pfx.push({ buf: cert.pfx, passphrase: cert.passphrase });
-    }
   }
   return tlsOptions;
 }

packages/playwright-core/types/types.d.ts

@@ -13166,10 +13166,14 @@ export interface BrowserType<Unused = {}> {
     chromiumSandbox?: boolean;
 
     /**
+     * TLS Client Authentication allows the server to request a client certificate and verify it.
+     *
+     * **Details**
+     *
      * An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a
      * single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the
-     * private key is encrypted. If the certificate is valid only for specific URLs, the `url` property should be provided
+     * certficiate is encrypted. If the certificate is valid only for specific origins, the `origin` property should be
-     * with a glob pattern to match the URLs that the certificate is valid for.
+     * provided with a glob pattern to match the origins that the certificate is valid for.
      *
      * **NOTE** Using Client Certificates in combination with Proxy Servers is not supported.
      *
@@ -13178,34 +13182,29 @@ export interface BrowserType<Unused = {}> {
      */
     clientCertificates?: Array<{
       /**
-       * Glob pattern to match the URLs that the certificate is valid for.
+       * Glob pattern to match against the request origin that the certificate is valid for.
        */
-      url: string;
+      origin: string;
 
       /**
-       * List of client certificates to be used.
+       * Path to the file with the certificate in PEM format.
        */
-      certs: Array<{
+      certPath?: string;
-        /**
-         * Path to the file with the certificate in PEM format.
-         */
-        certPath?: string;
 
-        /**
+      /**
-         * Path to the file with the private key in PEM format.
+       * Path to the file with the private key in PEM format.
-         */
+       */
-        keyPath?: string;
+      keyPath?: string;
 
-        /**
+      /**
-         * Path to the PFX or PKCS12 encoded private key and certificate chain.
+       * Path to the PFX or PKCS12 encoded private key and certificate chain.
-         */
+       */
-        pfxPath?: string;
+      pfxPath?: string;
 
-        /**
+      /**
-         * Passphrase for the private key (PEM or PFX).
+       * Passphrase for the private key (PEM or PFX).
-         */
+       */
-        passphrase?: string;
+      passphrase?: string;
-      }>;
     }>;
 
     /**
@@ -15578,10 +15577,14 @@ export interface APIRequest {
     baseURL?: string;
 
     /**
+     * TLS Client Authentication allows the server to request a client certificate and verify it.
+     *
+     * **Details**
+     *
      * An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a
      * single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the
-     * private key is encrypted. If the certificate is valid only for specific URLs, the `url` property should be provided
+     * certficiate is encrypted. If the certificate is valid only for specific origins, the `origin` property should be
-     * with a glob pattern to match the URLs that the certificate is valid for.
+     * provided with a glob pattern to match the origins that the certificate is valid for.
      *
      * **NOTE** Using Client Certificates in combination with Proxy Servers is not supported.
      *
@@ -15590,34 +15593,29 @@ export interface APIRequest {
      */
     clientCertificates?: Array<{
       /**
-       * Glob pattern to match the URLs that the certificate is valid for.
+       * Glob pattern to match against the request origin that the certificate is valid for.
        */
-      url: string;
+      origin: string;
 
       /**
-       * List of client certificates to be used.
+       * Path to the file with the certificate in PEM format.
        */
-      certs: Array<{
+      certPath?: string;
-        /**
-         * Path to the file with the certificate in PEM format.
-         */
-        certPath?: string;
 
-        /**
+      /**
-         * Path to the file with the private key in PEM format.
+       * Path to the file with the private key in PEM format.
-         */
+       */
-        keyPath?: string;
+      keyPath?: string;
 
-        /**
+      /**
-         * Path to the PFX or PKCS12 encoded private key and certificate chain.
+       * Path to the PFX or PKCS12 encoded private key and certificate chain.
-         */
+       */
-        pfxPath?: string;
+      pfxPath?: string;
 
-        /**
+      /**
-         * Passphrase for the private key (PEM or PFX).
+       * Passphrase for the private key (PEM or PFX).
-         */
+       */
-        passphrase?: string;
+      passphrase?: string;
-      }>;
     }>;
 
     /**
@@ -16772,10 +16770,14 @@ export interface Browser extends EventEmitter {
     bypassCSP?: boolean;
 
     /**
+     * TLS Client Authentication allows the server to request a client certificate and verify it.
+     *
+     * **Details**
+     *
      * An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a
      * single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the
-     * private key is encrypted. If the certificate is valid only for specific URLs, the `url` property should be provided
+     * certficiate is encrypted. If the certificate is valid only for specific origins, the `origin` property should be
-     * with a glob pattern to match the URLs that the certificate is valid for.
+     * provided with a glob pattern to match the origins that the certificate is valid for.
      *
      * **NOTE** Using Client Certificates in combination with Proxy Servers is not supported.
      *
@@ -16784,34 +16786,29 @@ export interface Browser extends EventEmitter {
      */
     clientCertificates?: Array<{
       /**
-       * Glob pattern to match the URLs that the certificate is valid for.
+       * Glob pattern to match against the request origin that the certificate is valid for.
        */
-      url: string;
+      origin: string;
 
       /**
-       * List of client certificates to be used.
+       * Path to the file with the certificate in PEM format.
        */
-      certs: Array<{
+      certPath?: string;
-        /**
-         * Path to the file with the certificate in PEM format.
-         */
-        certPath?: string;
 
-        /**
+      /**
-         * Path to the file with the private key in PEM format.
+       * Path to the file with the private key in PEM format.
-         */
+       */
-        keyPath?: string;
+      keyPath?: string;
 
-        /**
+      /**
-         * Path to the PFX or PKCS12 encoded private key and certificate chain.
+       * Path to the PFX or PKCS12 encoded private key and certificate chain.
-         */
+       */
-        pfxPath?: string;
+      pfxPath?: string;
 
-        /**
+      /**
-         * Passphrase for the private key (PEM or PFX).
+       * Passphrase for the private key (PEM or PFX).
-         */
+       */
-        passphrase?: string;
+      passphrase?: string;
-      }>;
     }>;
 
     /**
@@ -20223,10 +20220,14 @@ export interface BrowserContextOptions {
   bypassCSP?: boolean;
 
   /**
+   * TLS Client Authentication allows the server to request a client certificate and verify it.
+   *
+   * **Details**
+   *
    * An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a
    * single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the
-   * private key is encrypted. If the certificate is valid only for specific URLs, the `url` property should be provided
+   * certficiate is encrypted. If the certificate is valid only for specific origins, the `origin` property should be
-   * with a glob pattern to match the URLs that the certificate is valid for.
+   * provided with a glob pattern to match the origins that the certificate is valid for.
    *
    * **NOTE** Using Client Certificates in combination with Proxy Servers is not supported.
    *
@@ -20235,34 +20236,29 @@ export interface BrowserContextOptions {
    */
   clientCertificates?: Array<{
     /**
-     * Glob pattern to match the URLs that the certificate is valid for.
+     * Glob pattern to match against the request origin that the certificate is valid for.
      */
-    url: string;
+    origin: string;
 
     /**
-     * List of client certificates to be used.
+     * Path to the file with the certificate in PEM format.
      */
-    certs: Array<{
+    certPath?: string;
-      /**
-       * Path to the file with the certificate in PEM format.
-       */
-      certPath?: string;
 
-      /**
+    /**
-       * Path to the file with the private key in PEM format.
+     * Path to the file with the private key in PEM format.
-       */
+     */
-      keyPath?: string;
+    keyPath?: string;
 
-      /**
+    /**
-       * Path to the PFX or PKCS12 encoded private key and certificate chain.
+     * Path to the PFX or PKCS12 encoded private key and certificate chain.
-       */
+     */
-      pfxPath?: string;
+    pfxPath?: string;
 
-      /**
+    /**
-       * Passphrase for the private key (PEM or PFX).
+     * Passphrase for the private key (PEM or PFX).
-       */
+     */
-      passphrase?: string;
+    passphrase?: string;
-    }>;
   }>;
 
   /**

packages/playwright/src/index.ts

@@ -479,12 +479,10 @@ function resolveFileToConfig(file: string | undefined) {
 type ClientCertificates = NonNullable<PlaywrightTestOptions['clientCertificates']>;
 
 function resolveClientCerticates(clientCertificates: ClientCertificates): ClientCertificates {
-  for (const { certs } of clientCertificates) {
+  for (const cert of clientCertificates) {
-    for (const cert of certs) {
+    cert.certPath = resolveFileToConfig(cert.certPath);
-      cert.certPath = resolveFileToConfig(cert.certPath);
+    cert.keyPath = resolveFileToConfig(cert.keyPath);
-      cert.keyPath = resolveFileToConfig(cert.keyPath);
+    cert.pfxPath = resolveFileToConfig(cert.pfxPath);
-      cert.pfxPath = resolveFileToConfig(cert.pfxPath);
-    }
   }
   return clientCertificates;
 }

packages/playwright/types/test.d.ts

@@ -5202,10 +5202,14 @@ export interface PlaywrightTestOptions {
    */
   colorScheme: ColorScheme;
   /**
+   * TLS Client Authentication allows the server to request a client certificate and verify it.
+   *
+   * **Details**
+   *
    * An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a
    * single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the
-   * private key is encrypted. If the certificate is valid only for specific URLs, the `url` property should be provided
+   * certficiate is encrypted. If the certificate is valid only for specific origins, the `origin` property should be
-   * with a glob pattern to match the URLs that the certificate is valid for.
+   * provided with a glob pattern to match the origins that the certificate is valid for.
    *
    * **NOTE** Using Client Certificates in combination with Proxy Servers is not supported.
    *
@@ -5219,22 +5223,14 @@ export interface PlaywrightTestOptions {
    * import { defineConfig } from '@playwright/test';
    *
    * export default defineConfig({
-   *   projects: [
+   *   use: {
-   *     {
+   *     clientCertificates: [{
-   *       name: 'Microsoft Edge',
+   *       origin: 'https://example.com',
-   *       use: {
+   *       certPath: './cert.pem',
-   *         ...devices['Desktop Edge'],
+   *       keyPath: './key.pem',
-   *         clientCertificates: [{
+   *       passphrase: 'mysecretpassword',
-   *           url: 'https://example.com/**',
+   *     }],
-   *           certs: [{
+   *   },
-   *             certPath: './cert.pem',
-   *             keyPath: './key.pem',
-   *             passphrase: 'mysecretpassword',
-   *           }],
-   *         }],
-   *       },
-   *     },
-   *   ]
    * });
    * ```
    *

packages/protocol/src/channels.ts

@@ -582,13 +582,11 @@ export type PlaywrightNewRequestParams = {
   ignoreHTTPSErrors?: boolean,
   extraHTTPHeaders?: NameValue[],
   clientCertificates?: {
-    url: string,
+    origin: string,
-    certs: {
+    cert?: Binary,
-      cert?: Binary,
+    key?: Binary,
-      key?: Binary,
+    passphrase?: string,
-      passphrase?: string,
+    pfx?: Binary,
-      pfx?: Binary,
-    }[],
   }[],
   httpCredentials?: {
     username: string,
@@ -615,13 +613,11 @@ export type PlaywrightNewRequestOptions = {
   ignoreHTTPSErrors?: boolean,
   extraHTTPHeaders?: NameValue[],
   clientCertificates?: {
-    url: string,
+    origin: string,
-    certs: {
+    cert?: Binary,
-      cert?: Binary,
+    key?: Binary,
-      key?: Binary,
+    passphrase?: string,
-      passphrase?: string,
+    pfx?: Binary,
-      pfx?: Binary,
-    }[],
   }[],
   httpCredentials?: {
     username: string,
@@ -968,13 +964,11 @@ export type BrowserTypeLaunchPersistentContextParams = {
   },
   ignoreHTTPSErrors?: boolean,
   clientCertificates?: {
-    url: string,
+    origin: string,
-    certs: {
+    cert?: Binary,
-      cert?: Binary,
+    key?: Binary,
-      key?: Binary,
+    passphrase?: string,
-      passphrase?: string,
+    pfx?: Binary,
-      pfx?: Binary,
-    }[],
   }[],
   javaScriptEnabled?: boolean,
   bypassCSP?: boolean,
@@ -1050,13 +1044,11 @@ export type BrowserTypeLaunchPersistentContextOptions = {
   },
   ignoreHTTPSErrors?: boolean,
   clientCertificates?: {
-    url: string,
+    origin: string,
-    certs: {
+    cert?: Binary,
-      cert?: Binary,
+    key?: Binary,
-      key?: Binary,
+    passphrase?: string,
-      passphrase?: string,
+    pfx?: Binary,
-      pfx?: Binary,
-    }[],
   }[],
   javaScriptEnabled?: boolean,
   bypassCSP?: boolean,
@@ -1167,13 +1159,11 @@ export type BrowserNewContextParams = {
   },
   ignoreHTTPSErrors?: boolean,
   clientCertificates?: {
-    url: string,
+    origin: string,
-    certs: {
+    cert?: Binary,
-      cert?: Binary,
+    key?: Binary,
-      key?: Binary,
+    passphrase?: string,
-      passphrase?: string,
+    pfx?: Binary,
-      pfx?: Binary,
-    }[],
   }[],
   javaScriptEnabled?: boolean,
   bypassCSP?: boolean,
@@ -1235,13 +1225,11 @@ export type BrowserNewContextOptions = {
   },
   ignoreHTTPSErrors?: boolean,
   clientCertificates?: {
-    url: string,
+    origin: string,
-    certs: {
+    cert?: Binary,
-      cert?: Binary,
+    key?: Binary,
-      key?: Binary,
+    passphrase?: string,
-      passphrase?: string,
+    pfx?: Binary,
-      pfx?: Binary,
-    }[],
   }[],
   javaScriptEnabled?: boolean,
   bypassCSP?: boolean,
@@ -1306,13 +1294,11 @@ export type BrowserNewContextForReuseParams = {
   },
   ignoreHTTPSErrors?: boolean,
   clientCertificates?: {
-    url: string,
+    origin: string,
-    certs: {
+    cert?: Binary,
-      cert?: Binary,
+    key?: Binary,
-      key?: Binary,
+    passphrase?: string,
-      passphrase?: string,
+    pfx?: Binary,
-      pfx?: Binary,
-    }[],
   }[],
   javaScriptEnabled?: boolean,
   bypassCSP?: boolean,
@@ -1374,13 +1360,11 @@ export type BrowserNewContextForReuseOptions = {
   },
   ignoreHTTPSErrors?: boolean,
   clientCertificates?: {
-    url: string,
+    origin: string,
-    certs: {
+    cert?: Binary,
-      cert?: Binary,
+    key?: Binary,
-      key?: Binary,
+    passphrase?: string,
-      passphrase?: string,
+    pfx?: Binary,
-      pfx?: Binary,
-    }[],
   }[],
   javaScriptEnabled?: boolean,
   bypassCSP?: boolean,
@@ -4582,13 +4566,11 @@ export type AndroidDeviceLaunchBrowserParams = {
   },
   ignoreHTTPSErrors?: boolean,
   clientCertificates?: {
-    url: string,
+    origin: string,
-    certs: {
+    cert?: Binary,
-      cert?: Binary,
+    key?: Binary,
-      key?: Binary,
+    passphrase?: string,
-      passphrase?: string,
+    pfx?: Binary,
-      pfx?: Binary,
-    }[],
   }[],
   javaScriptEnabled?: boolean,
   bypassCSP?: boolean,
@@ -4648,13 +4630,11 @@ export type AndroidDeviceLaunchBrowserOptions = {
   },
   ignoreHTTPSErrors?: boolean,
   clientCertificates?: {
-    url: string,
+    origin: string,
-    certs: {
+    cert?: Binary,
-      cert?: Binary,
+    key?: Binary,
-      key?: Binary,
+    passphrase?: string,
-      passphrase?: string,
+    pfx?: Binary,
-      pfx?: Binary,
-    }[],
   }[],
   javaScriptEnabled?: boolean,
   bypassCSP?: boolean,

packages/protocol/src/protocol.yml

@@ -445,16 +445,11 @@ ContextOptions:
       items:
         type: object
         properties:
-          url: string
+          origin: string
-          certs:
+          cert: binary?
-            type: array
+          key: binary?
-            items:
+          passphrase: string?
-              type: object
+          pfx: binary?
-              properties:
-                cert: binary?
-                key: binary?
-                passphrase: string?
-                pfx: binary?
     javaScriptEnabled: boolean?
     bypassCSP: boolean?
     userAgent: string?
@@ -700,16 +695,11 @@ Playwright:
           items:
             type: object
             properties:
-              url: string
+              origin: string
-              certs:
+              cert: binary?
-                type: array
+              key: binary?
-                items:
+              passphrase: string?
-                  type: object
+              pfx: binary?
-                  properties:
-                    cert: binary?
-                    key: binary?
-                    passphrase: string?
-                    pfx: binary?
         httpCredentials:
           type: object?
           properties:

tests/library/client-certificates.spec.ts

@@ -79,27 +79,22 @@ test.skip(({ mode }) => mode !== 'default');
 
 const kDummyFileName = __filename;
 const kValidationSubTests: [BrowserContextOptions, string][] = [
-  [{ clientCertificates: [{ url: 'test', certs: [] }] }, 'No certs specified for url: test'],
+  [{ clientCertificates: [{ origin: 'test' }] }, 'None of cert, key, passphrase or pfx is specified'],
-  [{ clientCertificates: [{ url: 'test', certs: [{}] }] }, 'None of cert, key, passphrase or pfx is specified'],
   [{
     clientCertificates: [{
-      url: 'test',
+      origin: 'test',
-      certs: [{
+      certPath: kDummyFileName,
-        certPath: kDummyFileName,
+      keyPath: kDummyFileName,
-        keyPath: kDummyFileName,
+      pfxPath: kDummyFileName,
-        pfxPath: kDummyFileName,
+      passphrase: kDummyFileName,
-        passphrase: kDummyFileName,
-      }]
     }]
   }, 'pfx is specified together with cert, key or passphrase'],
   [{
     proxy: { server: 'http://localhost:8080' },
     clientCertificates: [{
-      url: 'test',
+      origin: 'test',
-      certs: [{
+      certPath: kDummyFileName,
-        certPath: kDummyFileName,
+      keyPath: kDummyFileName,
-        keyPath: kDummyFileName,
-      }]
     }]
   }, 'Cannot specify both proxy and clientCertificates'],
 ];
@@ -122,11 +117,9 @@ test.describe('fetch', () => {
   test('should keep supporting http', async ({ playwright, server, asset }) => {
     const request = await playwright.request.newContext({
       clientCertificates: [{
-        url: server.PREFIX,
+        origin: new URL(server.PREFIX).origin,
-        certs: [{
+        certPath: asset('client-certificates/client/trusted/cert.pem'),
-          certPath: asset('client-certificates/client/trusted/cert.pem'),
+        keyPath: asset('client-certificates/client/trusted/key.pem'),
-          keyPath: asset('client-certificates/client/trusted/key.pem'),
-        }],
       }],
     });
     const response = await request.get(server.PREFIX + '/one-style.html');
@@ -140,11 +133,9 @@ test.describe('fetch', () => {
     const serverURL = await startCCServer();
     const request = await playwright.request.newContext({
       clientCertificates: [{
-        url: serverURL,
+        origin: new URL(serverURL).origin,
-        certs: [{
+        certPath: asset('client-certificates/client/self-signed/cert.pem'),
-          certPath: asset('client-certificates/client/self-signed/cert.pem'),
+        keyPath: asset('client-certificates/client/self-signed/key.pem'),
-          keyPath: asset('client-certificates/client/self-signed/key.pem'),
-        }],
       }],
     });
     const response = await request.get(serverURL);
@@ -158,11 +149,9 @@ test.describe('fetch', () => {
     const serverURL = await startCCServer();
     const request = await playwright.request.newContext({
       clientCertificates: [{
-        url: serverURL,
+        origin: new URL(serverURL).origin,
-        certs: [{
+        certPath: asset('client-certificates/client/trusted/cert.pem'),
-          certPath: asset('client-certificates/client/trusted/cert.pem'),
+        keyPath: asset('client-certificates/client/trusted/key.pem'),
-          keyPath: asset('client-certificates/client/trusted/key.pem'),
-        }],
       }],
     });
     const response = await request.get(serverURL);
@@ -176,11 +165,9 @@ test.describe('fetch', () => {
     const serverURL = await startCCServer();
     const request = await playwright.request.newContext({
       clientCertificates: [{
-        url: serverURL,
+        origin: new URL(serverURL).origin,
-        certs: [{
+        certPath: asset('client-certificates/client/trusted/cert.pem'),
-          certPath: asset('client-certificates/client/trusted/cert.pem'),
+        keyPath: asset('client-certificates/client/trusted/key.pem'),
-          keyPath: asset('client-certificates/client/trusted/key.pem'),
-        }],
       }],
     });
     const page = await browser.newPage({ ignoreHTTPSErrors: true });
@@ -205,11 +192,9 @@ test.describe('browser', () => {
   test('should keep supporting http', async ({ browser, server, asset }) => {
     const page = await browser.newPage({
       clientCertificates: [{
-        url: server.PREFIX,
+        origin: new URL(server.PREFIX).origin,
-        certs: [{
+        certPath: asset('client-certificates/client/trusted/cert.pem'),
-          certPath: asset('client-certificates/client/trusted/cert.pem'),
+        keyPath: asset('client-certificates/client/trusted/key.pem'),
-          keyPath: asset('client-certificates/client/trusted/key.pem'),
-        }],
       }],
     });
     await page.goto(server.PREFIX + '/one-style.html');
@@ -222,11 +207,9 @@ test.describe('browser', () => {
     const serverURL = await startCCServer({ useFakeLocalhost: browserName === 'webkit' && process.platform === 'darwin' });
     const page = await browser.newPage({
       clientCertificates: [{
-        url: 'https://not-matching.com',
+        origin: 'https://not-matching.com',
-        certs: [{
+        certPath: asset('client-certificates/client/trusted/cert.pem'),
-          certPath: asset('client-certificates/client/trusted/cert.pem'),
+        keyPath: asset('client-certificates/client/trusted/key.pem'),
-          keyPath: asset('client-certificates/client/trusted/key.pem'),
-        }],
       }],
     });
     await page.goto(serverURL);
@@ -238,11 +221,9 @@ test.describe('browser', () => {
     const serverURL = await startCCServer({ useFakeLocalhost: browserName === 'webkit' && process.platform === 'darwin' });
     const page = await browser.newPage({
       clientCertificates: [{
-        url: serverURL,
+        origin: new URL(serverURL).origin,
-        certs: [{
+        certPath: asset('client-certificates/client/self-signed/cert.pem'),
-          certPath: asset('client-certificates/client/self-signed/cert.pem'),
+        keyPath: asset('client-certificates/client/self-signed/key.pem'),
-          keyPath: asset('client-certificates/client/self-signed/key.pem'),
-        }],
       }],
     });
     await page.goto(serverURL);
@@ -254,11 +235,9 @@ test.describe('browser', () => {
     const serverURL = await startCCServer({ useFakeLocalhost: browserName === 'webkit' && process.platform === 'darwin' });
     const page = await browser.newPage({
       clientCertificates: [{
-        url: serverURL,
+        origin: new URL(serverURL).origin,
-        certs: [{
+        certPath: asset('client-certificates/client/trusted/cert.pem'),
-          certPath: asset('client-certificates/client/trusted/cert.pem'),
+        keyPath: asset('client-certificates/client/trusted/key.pem'),
-          keyPath: asset('client-certificates/client/trusted/key.pem'),
-        }],
       }],
     });
     await page.goto(serverURL);
@@ -269,11 +248,9 @@ test.describe('browser', () => {
   test('should have ignoreHTTPSErrors=false by default', async ({ browser, httpsServer, asset, browserName, platform }) => {
     const page = await browser.newPage({
       clientCertificates: [{
-        url: 'https://just-there-that-the-client-certificates-proxy-server-is-getting-launched.com',
+        origin: 'https://just-there-that-the-client-certificates-proxy-server-is-getting-launched.com',
-        certs: [{
+        certPath: asset('client-certificates/client/trusted/cert.pem'),
-          certPath: asset('client-certificates/client/trusted/cert.pem'),
+        keyPath: asset('client-certificates/client/trusted/key.pem'),
-          keyPath: asset('client-certificates/client/trusted/key.pem'),
-        }],
       }],
     });
     await page.goto(browserName === 'webkit' && platform === 'darwin' ? httpsServer.EMPTY_PAGE.replace('localhost', 'local.playwright') : httpsServer.EMPTY_PAGE);
@@ -292,11 +269,9 @@ test.describe('browser', () => {
       const serverURL = await startCCServer({ useFakeLocalhost: browserName === 'webkit' && process.platform === 'darwin' });
       const { page } = await launchPersistent({
         clientCertificates: [{
-          url: serverURL,
+          origin: new URL(serverURL).origin,
-          certs: [{
+          certPath: asset('client-certificates/client/trusted/cert.pem'),
-            certPath: asset('client-certificates/client/trusted/cert.pem'),
+          keyPath: asset('client-certificates/client/trusted/key.pem'),
-            keyPath: asset('client-certificates/client/trusted/key.pem'),
-          }],
         }],
       });
       await page.goto(serverURL);