Cors issue on capturing exceptions

[karna41317]

• [x] Review the documentation: https://docs.sentry.io/
• [x] Search for existing issues: https://github.com/getsentry/sentry-javascript/issues
• [x] Use the latest release: https://github.com/getsentry/sentry-javascript/releases
• [] Provide a link to the affected event from your Sentry account

Package + Version

• [x] @sentry/react
• [x] @sentry/browser
• [ ] @sentry/node
• [ ] raven-js
• [ ] raven-node (raven for node)
• [] other:

Version: "@sentry/react": "^5.22.0",

0.0.0

Description

I have a simple setup to capture events to sentry, like below

// import * as Sentry from "@sentry/browser"; // same with this package
import * as Sentry from "@sentry/react";
Sentry.init({
  dsn: "https://xxxxxxxxxxxxxxxx@o64130.ingest.sentry.io/1319034",
  release: "my-project-name@" + process.env.npm_package_version,
});

const logError = (error) => {
  Sentry.captureException(error);
};

function App() {
  logError(new Error("from create-react-app"));

  return (
    <div className="App">
      <header className="App-header">
        <img src={logo} className="App-logo" alt="logo" />
        <p>
          Edit <code>src/App.js</code> and save to reload.
        </p>
        <a
          className="App-link"
          href="https://reactjs.org"
          target="_blank"
          rel="noopener noreferrer"
        >
          Learn React
        </a>
      </header>
    </div>
  );
}

but request to sentry ended up being 403 (forbidden) and it's because of CORS, Any one has same problem ?

[dhruska]

Hey @karna41317 - in your Sentry account, double check these settings:

• Project Settings -> General Settings -> Allowed Domains
• Project Settings -> Inbound Filters -> Filter out events coming from localhost (if you're noticing this during local development)

[n-a-t-e]

I was having this CORS error as well too and it turned out my ad blocker (uBlock Origin on Firefox OSX) was blocking connection to Sentry.

[kamilogorek]

Closing the issue as a part of large repository cleanup, due to it being inactive and/or outdated. Please do not hesitate to ping me if it is still relevant, and I will happily reopen and work on it. Cheers!

[mihanizm56]

get the same issue with request "type:session"

curl 'https://sentry-sitemobile.wildberries.ru/api/7/envelope/?sentry_key=blablabla&sentry_version=7' \ -H 'Connection: keep-alive' \ -H 'sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36' \ -H 'Content-Type: text/plain;charset=UTF-8' \ -H 'Accept: /' \ -H 'Origin: https://ui-root.suppliers-portal-ru.svc.k8s.stage' \ -H 'Sec-Fetch-Site: cross-site' \ -H 'Sec-Fetch-Mode: cors' \ -H 'Sec-Fetch-Dest: empty' \ -H 'Referer: https://ui-root.suppliers-portal-ru.svc.k8s.stage/' \ -H 'Accept-Language: en' \ --data-raw $'{"sent_at":"2021-03-19T23:43:10.697Z","sdk":{"name":"sentry.javascript.browser","version":"6.2.2"}}\n{"type":"session"}\n{"sid":"blablabla","init":true,"started":"2021-03-19T23:43:10.697Z","timestamp":"2021-03-19T23:43:10.697Z","status":"ok","errors":0,"duration":0,"attrs":{"release":"v0.0.2"}}' \ --compressed

Sentry in our company is self-hosted

[mihanizm56]

curl 'https://sentry-sitemobile.wildberries.ru/api/7/store/?sentry_key=blablabla&sentry_version=7' \ -H 'Connection: keep-alive' \ -H 'sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36' \ -H 'Content-Type: text/plain;charset=UTF-8' \ -H 'Accept: /' \ -H 'Origin: https://ui-root.suppliers-portal-ru.svc.k8s.stage' \ -H 'Sec-Fetch-Site: cross-site' \ -H 'Sec-Fetch-Mode: cors' \ -H 'Sec-Fetch-Dest: empty' \ -H 'Referer: https://ui-root.suppliers-portal-ru.svc.k8s.stage/' \ -H 'Accept-Language: en' \ --data-raw '{"exception":{"values":[{"type":"TypeError","value":"Failed to fetch","mechanism":{"handled":false,"type":"onunhandledrejection"}}]},"level":"error","platform":"javascript","event_id":"a742aa75448241e198075671ec8c4a86","timestamp":1616197493.375,"environment":"production","release":"v0.0.2","breadcrumbs":[{"timestamp":1616197392,"category":"fetch","data":{"method":"GET","url":"/nsf/ui/marketplace-content-api/umd/index.80db62246959b556140f.js","__span":"a4bd5b734c0de0fd","status_code":200},"type":"http"},{"timestamp":1616197392.001,"category":"fetch","data":{"method":"GET","url":"/nsf/ui/marketplace-remains-of-goods- --compressed

[mihanizm56]

[mihanizm56]

@kamilogorek seems like this is a bug

[cawel]

I'm also experiencing a CORS error for all the "envelope" API calls:

https://sentry.my-domain.com/api/10/envelope/?sentry_key=f3faf208db114e9f2f882f893&sentry_version=7

Those are failing because of CORS:

Access to fetch at 'https://sentry.my-domain.com/api/10/envelope/?sentry_key=f3faf208db114e9f2f882f893&sentry_version=7' from origin 'https://my-domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

It works fine for the "store" API calls. I do see the errors on my Sentry project (on sentry.my-domain.com) for API calls like this one:

https://sentry.my-domain.com/api/10/store/?sentry_key=f3faf208db114e9f2f882f893&sentry_version=7

I did add my domain name in the "Allowed Domains" configuration section on sentry.my-domain.com and I could confirm this had an impact on whether or not the "store" API calls reached Sentry. No impact on those "envelope" calls though. For those I have a CORS issue.

[mihanizm56]

be careful - you are showing your dsn! =)

[cawel]

@mihanizm56 I did change it before posting, so no worries.

[mihanizm56]

I'm also experiencing a CORS error for all the "envelope" API calls:

https://sentry.my-domain.com/api/10/envelope/?sentry_key=f3faf208db114e9f2f882f893&sentry_version=7

Those are failing because of CORS:

Access to fetch at 'https://sentry.my-domain.com/api/10/envelope/?sentry_key=f3faf208db114e9f2f882f893&sentry_version=7' from origin 'https://my-domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

It works fine for the "store" API calls. I do see the errors on my Sentry project (on sentry.my-domain.com) for API calls like this one:

https://sentry.my-domain.com/api/10/store/?sentry_key=f3faf208db114e9f2f882f893&sentry_version=7

I did add my domain name in the "Allowed Domains" configuration section on sentry.my-domain.com and I could confirm this had an impact on whether or not the "store" API calls reached Sentry. No impact on those "envelope" calls though. For those I have a CORS issue.

faced the issue if using SDK 6x with 9x self-hosted sentry downgraded to 5x versions of sdk helped!

[cawel]

@mihanizm56 Thanks for feedback. I learned elsewhere that I'm using a too old version of Sentry in my self-hosted configuration.

[emondora]

how to solved it...

[kamilogorek]

@emondora upgrade your self-hosted Sentry instance to v10 or newer is the best choice. Otherwise use SDK v5.26.

[emondora]

@kamilogorek Thanks for feed back. Today I upgraded my self-hosted sentry to v21.3.17, and also set the "Allowed Domains" to *. Before i upgrade everthing goes fine. Now my sentry sdk downgraded to v5.26, but chrome throw same error "Access to fetch at '***/api/2/store/?sentry_key=***&sentry_version=7' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled."

[kamilogorek]

@BYK maybe you know what's going on here? (it's working fine on the SaaS, so it's not SDK issue)

[BYK]

@emondora are you using our onpremise repo? Also have you set your system.url-prefix?

[gj19910723]

i have same problem in sentry V10,I think it's not a CORS problem .

I see web container logs show 09:25:58 [WARNING] django.request: Forbidden (CSRF cookie not set.): /api/4/envelope/ (status_code=403 request=<WSGIRequest: POST u'/api/4/envelope/?sentry_key=xxx&sentry_version=7'>) ,then return 403.

Brower not found the CORS header ,so show no CORS header,but not tell you http response code is 403.

@BYK @kamilogorek @karna41317

[BYK]

@gj19910723 Sentry v10 does not have relay built into it and it cannot handle the envelope payloads. You need to upgrade to a more recent version of Sentry.

[reb00t2018]

help!

[BYK]

@reb00t2018 please elaborate your issue and refrain from comments that do not contribute to the discussion.

[ykshatroff]

Hi! Having a similar issue; given:

• self-hosted sentry v21.3.0 96d5172; Allowed Domains (Separate multiple entries with a newline) contains a *;
• @sentry/react 6.3.0;
• when an error happens, in the browser console I observe a single POST request to the sentry API:

  POST | https://sentry.project.domain/api/189/store/?sentry_key=***&sentry_version=7

  which produces the notorious Cross-Origin Request Blocked error in the console. So there is no typical preflight OPTIONS request before the POST. At the same time, it appears that the error reaches the sentry server and is handled, nevertheless. Thus can't call it critical, though it is slightly annoying and raises concerns that at some point it may stop functioning at all :)

[vladyc9]

Hi all,

Regarding the CORS envelop problem. I have SDK 6.2.5 and 9.2.1 self-hosted version.

Here's another solution I managed to find and envelope request no more sending.

Sentry.init({ autoSessionTracking: false, });

[dahei]

nvelope request no more sending.

Sure, but you've also disabled the session feature itself ;) - so that's not really a solution.

We are facing the same CORS issues for the envelope calls.

• Self-hosted sentry @ 9.1.2
• SPA client uses @sentry/react 6.3.5

Setting "Allowed Domains" to * or specific domains doesn't make any difference.

[BYK]

@dahei Sentry 9.1.2 does not support sessions or envelopes so you should be good.

[Noitidart]

I was having this CORS error as well too and it turned out my ad blocker (uBlock Origin on Firefox OSX) was blocking connection to Sentry.

How do you fix this issue without turning off adblock? Because I can't ask my users to turn it off.

[BYK]

https://docs.sentry.io/platforms/javascript/troubleshooting/#dealing-with-ad-blockers

[JamesWebDev]

Hi all,

Regarding the CORS envelop problem. I have SDK 6.2.5 and 9.2.1 self-hosted version.

Here's another solution I managed to find and envelope request no more sending.

Sentry.init({ autoSessionTracking: false, });

Thanks @vladyc9, I like this solution much better than having to down grade the version of the package. And like BYK said version 9.1.2 of sentry does not support session tracking anyway.

@BYK it would be super cool if a version compatibility matrix existed. Having to spend hours reading through all the closed issues, and changelogs is not user friendly. If we can't have a matrix then it would be nice if the major version number of the sentry server was aligned with the major version of the client. ¯\_(ツ)_/¯ with the versions not aligned and also not having a matrix it just makes the product feel flakey.

[mrdulin]

"@sentry/browser": "^6.13.3" + Company self-hosted Sentry 9.1.2 will cause browser CORS error.

Company sentry URL like https://sentry.company.com.

Downgrade @sentry/browser to ^5.30.0 to solve this issue. Don't know why

[denise92]

Hi, I find the way to solved the cors issue~ the point is don't use integrations and release option!!!!

Sentry.init({
    dsn: my-dsn-sentry,
    tracesSampleRate: 1.0,
    environment: "production",
})

P.S. autoSessionTracking and sendClientReports both sets false aren't work in my project, I don't know why....

[SlavaPWNZ]

How fix it PROJECT -> General -> CLIENT SECURITY -> Verify TLS/SSL Set ENABLED

[bitsagarob]

It appears to be the combination of integrations and tracesSampleRate that's causing CORS issues, disabling either one of those two seems to resolve. Using latest @Sentry/angular: 6.19.7 and @Sentry/tracing 6.19.7

[holmberd]

Issue seem to exist on at least @sentry/browser: 6.19.7, downgraded to last working version to resolve: 6.17.7. I can't see anything different between the request headers between the versions.

[thinkdj]

It appears to be the combination of integrations and tracesSampleRate that's causing CORS issues, disabling either one of those two seems to resolve. Using latest @Sentry/angular: 6.19.7 and @Sentry/tracing 6.19.7

True. Adding config { tracingOrigins: ["*"] } for BrowserTracing solved it for me

Sentry.init({
  dsn: "******************************",
  integrations: [new BrowserTracing({ tracingOrigins: ["*"] })],
  tracesSampleRate: 0.025,
});

[MauriceArikoglu]

For everyone finding this via Google and wanting to follow the approach mentioned by @thinkdj - be aware you might need to change your server software and enable specific headers in the context of Cross-Origin Resource Sharing (CORS), mentioned here in the documentation: https://docs.sentry.io/platforms/javascript/performance/instrumentation/automatic-instrumentation/#tracingorigins

I also wouldn't call that a solution, since it actually doesn't have anything to do with the problem, as far as I see it - also the browser tracing does add functionality that might be unwanted, as well as is probably subject to data privacy regulations in some countries.

[jameshhood]

I just started using sentry and I'm already here. I have a CMS tool called strapi that I use with my VueJS app. Of course both are running on localhost using @sentry/tracing: 7.18.0 and @sentry/vue: 7.18.0.

The moment I add

integrations: [
      new BrowserTracing({
         routingInstrumentation: Sentry.vueRouterInstrumentation(router),
         tracingOrigins: ['*'],
       }),
    ],

into my Sentry.init() config, I start getting CORS errors when trying to request data from my CMS tool. I have tried some tidbits from this chain but the only thing I've managed to fix so far is just commenting this out which doesn't seem like a fix to me

[muuvmuuv]

Same here with Angular (using Sentry Capacitor plugin). Allowed domains is "*" and any other suggestion here does not work. Tried on https://localhost without SSL and https://domain.local...

[znareak]

Parece ser la combinación de integrationsy tracesSampleRateeso está causando problemas de CORS, deshabilitar cualquiera de esos dos parece resolverse. Usando el último @Sentry/angular: 6.19.7 y @Sentry/tracing 6.19.7

Works for me, thank you man!

[mohsenasm]

Double-check that you are not using an http dns string inside an https webpage and it's not just a mixed content error. (sentry should be used with https when it is been used inside an https webpage)

[Congee]

It turns out manually adding access-control-allow-origin to the response header solves the problem. The Settings -> Project Settings -> CLIENT SECURITY -> Allowed Domains config is really a red-herring

For your references:

access-control-allow-origin: *
access-control-allow-credentials: true
access-control-allow-methods: GET, PUT, POST, DELETE, PATCH, OPTIONS
access-control-allow-headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization
access-control-max-age: 1728000