search

getsentry / sentry-javascript

Official Sentry SDKs for JavaScript
https://sentry.io
MIT License
7.97k stars 1.57k forks source link

The stack trace of a SecurityError is not reported #3119

Closed WesselKroos closed 2 years ago

WesselKroos commented 3 years ago

Package + Version

Version:

5.29.0

Description

A DOMException with the name SecurityError contains a stack in Chromium. This stack is not reported to Sentry.

Example of the exception:

DOMException:
  code: 18
  message: "Failed to execute 'getImageData' on 'OffscreenCanvasRenderingContext2D': The canvas has been tainted by cross- 
  origin data."
  name: "SecurityError"
  stack: "Error: Failed to execute 'getImageData' on 'OffscreenCanvasRenderingContext2D': The canvas has been tainted by cross-origin data.↵    at Extension.function3 (/scripts.js:5825:51)↵    at Extension.function2  (/scripts.js:4328:18)↵    at Extension.function1 (/scripts.js:4290:18)"

Debugging info

While debugging the script of @sentry/browser I noticed the following code prevents the stack trace from being included in the event:

function eventFromUnknownInput(exception, syntheticException, options) {
  ...
  f (isErrorEvent(exception) && exception.error) { // isErrorEvent = false && exception.error = undefined
    ... // In this case the stack trace would be attached to the event
  }
  if (isDOMError(exception) || isDOMException(exception)) { // isDOMError = false || isDOMException = true
    ...
    return event; // This event is returned. And in this case the stack trace is NOT attached to the event
  }
}

How to reproduce

  1. Create a video element with a src attribute that contains a url from another domain than the current webpage.
  2. Draw the video to a canvas element via the drawImage function.
  3. Execute the getImageData function on that canvas
marrowleaves commented 3 years ago

Ref: https://github.com/getsentry/sentry-javascript/pull/1310