Patched (instrumented) XMLHttpRequest bypasses allowUrls

amakhrov commented 2 years ago

[x] Review the documentation: https://docs.sentry.io/
[x] Search for existing issues: https://github.com/getsentry/sentry-javascript/issues
[ ] Use the latest release: https://github.com/getsentry/sentry-javascript/releases
[x] Provide a link to the affected event from your Sentry account

https://sentry.io/organizations/crunchbase/issues/2950571244/?project=190044

Package + Version

[x] @sentry/browser
[x] @sentry/node
[ ] raven-js
[ ] raven-node (raven for node)
[ ] other:

Version:

6.15.0

Description

We use a (slightly customized - use case as outlined here: https://github.com/getsentry/sentry-javascript/issues/4472) InboundFilters integration to only record events from our app and exclude 3rd party.

Sometimes we still see issues from 3rd party logged in Sentry despite that - because the stack trace includes patched DOM APIs. In some cases it's Sentry SDK that patches XMLHttpRequest. I assume it's done by the Breadcrumbs integration (might be wrong here).

Example stack trace

TypeError: CreateListFromArrayLike called on non-object
  at XMLHttpRequest.window.XMLHttpRequest.open [as __zone_symbol__open](<anonymous>:22:27) <-- anon - ignored
  at patchDelegate(webpack:/./node_modules/zone.js/fesm2015/zone.js:2878:31) <-- we ignore this based on bundle file name
  at originalOpen(webpack:/./node_modules/zone.js/fesm2015/zone.js:975:24) <-- we ignore this based on bundle file name
  at XMLHttpRequest.open(webpack:/./node_modules/@sentry/utils/esm/instrument.js:250:20) <-- Sentry SDK - the same bundle as all other dependencies
  at se.otFetch(/scripttemplates/otSDKStub.js:1:7411) <-- 3rd party!

I love the breadcrumbs, and would hate to disable it. Any other ways to make it work well with InboundFilters?

AbhiPrasad commented 2 years ago

We don't have the bandwidth to look at this at the current moment (partly because we are focused on getting https://github.com/getsentry/sentry-javascript/issues/4240 out the door), but more than happy to review any PRs or add any suggestions for API/options you want to extend InboundFilters.

We can also maybe discuss creating another integration to do address your exact use case here - and not make it default so it doesn't bloat the bundle.

amakhrov commented 2 years ago

Thanks @AbhiPrasad . Honestly, for this one I don't have any ideas - since InboundFilters works with minified filenames in stack trace, it can only get that flexible. The ultimate solution could be to have similar functionality inside Sentry dashboard, so that filtering rules could be applied to source file names (resolved via source maps)

HazAT commented 1 year ago

Closing this for now since I don't see a clear way how to do this in the SDK.

getsentry / sentry-javascript