getsantry[bot]
commented
1 year ago Assigning to @getsentry/support for routing, due by (sfo). ⏲️
Closed Amatewasu closed 1 year ago
getsantry[bot]
commented
1 year ago Assigning to @getsentry/support for routing, due by (sfo). ⏲️
lforst
commented
1 year ago I think we need relay to return Access-Control-Allow-Origin: * for this endpoint.
lforst
commented
1 year ago cc @jernejstrasner
jjbayer
commented
1 year ago Looks like a problem with the /api/embed/error-page/ endpoint, not a relay issue.
lforst
commented
1 year ago @jjbayer Damn I thought we served this over relay. Routing to sentry then.
JoshFerge
commented
1 year ago seems like we need to add Cross-Origin-Resource-Policy: cross-origin to our error page response https://github.com/getsentry/sentry/blob/7d84829c2111305cd220b9ef1d482964b7bb45ad/src/sentry/web/frontend/error_page_embed.py#L230 , but need to do more digging on what's correct / implications. https://web.dev/why-coop-coep/
getsantry[bot]
commented
1 year ago Failed to route for Product Area: Other. Defaulting to @getsentry/open-source for triage, due by (sea). ⏲️
getsantry[bot]
commented
1 year ago Routing to @getsentry/product-owners-user-feedback for triage, due by (sfo). ⏲️
Amatewasu
commented
1 year ago Hello, do you have any updates regarding this issue? Thank you!
lforst
commented
1 year ago Just opened a PR to fix this https://github.com/getsentry/sentry/pull/51138
Amatewasu
commented
1 year ago Thank you a lot for the work!
By any chance, do you know when this change will be live?
lforst
commented
1 year ago @Amatewasu It is live since two weeks. Are you still facing problems?
Amatewasu
commented
1 year ago @lforst I just tested and I am still facing the issue.
In my JS browser console:
main.48957e68.js:2 GET https://o1127159.ingest.sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=e192e042fadc4ef7913fc88bef551dbc&title=Report%20an%20issue&name=`my_first_name%20my_last_name&email=my%40email.com net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 302
And in the network tab:
So it looks like there is no Cross-Oirigin-Resource-Policy header?
lforst
commented
1 year ago Ah interesting, I thought this is implicitly gonna be resolved by setting an Access-Control-Allow-Origin header.
Seems like we also need to add a Cross-Oirigin-Resource-Policy: cross-origin header.
lforst
commented
1 year ago ~Wait actually, shouldn't this be fixed by just setting a crossorigin attribute on the embedded script tag? I can see in your code snippet that you set crossOrigin = 'anonymous' which looks like a typo.~
Nevermind that seems to be the JS api for that.
Amatewasu
commented
1 year ago @lforst Thank you for your answer. I just saw the PR you opened two weeks ago. I guess it is live now? (i am still facing the same issue)
robert-king
commented
1 year ago I got the same error I think when trying to showDialog
{ provide: ErrorHandler, useValue: Sentry.createErrorHandler({ showDialog: true, }), },
making showDialog: false fixes the error.
Access to script at 'https://o4505552496230400.ingest.sentry.io/api/embed/error-page/?dsn=https://721c9e37a0cd4a0e9412190604008a89@o4505552496230400.ingest.sentry.io/4505552757719040&eventId=e163e6e38ab34d9f830e145d7eb7c644' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
HansAarneLiblik
commented
1 year ago @lforst Upgrading from @sentry/react v7.57.0 to v7.58.1 (Where this fix(?) is included) our Sentry integration started to fail and I'm guessing these are related
Issue is present in Sentry but no ErrorDialog is presented to the user
Access to script at 'https://\my-sentry\>/api/embed/error-page/?dsn=https://\<sentry-key\>@\<my-sentry\/2&eventId=efc303799d1844d4bab7128fb52be69a&name=\<username>&email=\<email>' from origin 'https://\<my-application>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This is how we're init'ing our Sentry
import * as Sentry from '@sentry/react';
Sentry.init({
dsn: config.sentry_dsn,
environment: config.environment,
release: config.version,
ignoreErrors: ['Request aborted'],
autoSessionTracking: false,
initialScope: {
user: {...config.user, name: config.user.username},
},
});@Amatewasu Did you upgrade to the newest SDK version?
@robert-king What SDK version are you on?
@HansAarneLiblik what self-hosted version are you on?
Amatewasu
commented
1 year ago @lforst I did not. Here's my current package.json:
"@sentry/cli": "^2.7.0",
"@sentry/integrations": "^7.16.0",
"@sentry/react": "^7.16.0",
"@sentry/rrweb": "^0.3.3",
"@sentry/tracing": "^7.16.0",I will update the SDK and let you know about the result. Thanks!
Amatewasu
commented
1 year ago @lforst I just updated my package.json and tested on an online development environment and I still get the issue.
Here's the screenshot of the error:
My new package.json (of course I've ran npm install after the update):
"@sentry/cli": "2.19.4",
"@sentry/integrations": "^7.60.0",
"@sentry/react": "^7.60.0",
"@sentry/rrweb": "^0.3.3",
"@sentry/tracing": "^7.60.0",(I can give you access to the page to reproduce if needed)
lforst
commented
1 year ago @Amatewasu do you mind sharing the full URL inside the first error?
I am a bit weirded out because we are setting the Access-Control-Allow-Origin header in any case to * now...
lforst
commented
1 year ago @Amatewasu another question. Is this happening inside an iframe?
Amatewasu
commented
1 year ago @Amatewasu do you mind sharing the full URL inside the first error?
Sure, I have sent you an email.
I am a bit weirded out because we are setting the
Access-Control-Allow-Originheader in any case to*now...
It looks like all the https://o1127159.ingest.sentry.io/api/6417371/envelope/?sentry_key=* requests have properly the Access-Control-Allow-Origin header but not the request https://o1127159.ingest.sentry.io/api/embed/error-page/?dsn=....
@Amatewasu another question. Is this happening inside an iframe?
It is not happening inside an iframe. :)
Amatewasu
commented
1 year ago @Amatewasu do you mind sharing the full URL inside the first error?
The full URL is: https://o1127159.ingest.sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=ca9ebacd763e4ca99bb0032b7ba2742d&title=Report%20an%20issue&name=Alexis%20DELRIEU&email=alexis.delrieu%40balyo.com
robert-king
commented
1 year ago "@sentry/angular-ivy": "^7.59.2", "@sentry/cli": "^2.19.4", "@sentry/webpack-plugin": "^2.4.0",
this was testing from localhost i think. (http to https).
HansAarneLiblik
commented
1 year ago @lforst Our self-hosted sentry is on version 23.3.1. If I remember correctly, we can't upgrade to the next version without upgrading our postgres database before
timkelty
commented
1 year ago @lforst I am experiencing the same CORS error with the /api/embed/error-page/, meaning I can't get User Feedback working at all.
Normal sentry reporting is working, but CORS errors occur when attempting to call Sentry.showReportDialog()
Details:
Project -> Allowed Domains in Sentry dashboard has my domain added.It looks like the failed request is a 302, which doesn't have an Access-Control-Allow-Origin…
timkelty
commented
1 year ago UPDATE – @lforst I think the issue is indeed the redirect response missing the Access-Control-Allow-Origin header. As a test, I replaced the URL with the https://sentry.io domain it was 302ing to and the request worked.
kerenkhatiwada
commented
1 year ago @lforst Sharing the ZD ticket @timkelty has wrote in case it is needed.
chadwhitacre
commented
1 year ago Reopening since this seems to be ongoing.
roggenkemper
commented
1 year ago @lforst
lforst
commented
1 year ago Hi, there is currently a deploy to Sentry going out that will attach a Access-Control-Allow-Origin: * header to the redirect response coming from *.ingest.sentry.io.
In my test app, this finally fixed the issue. Feel free to let me know in case this still seems to be a problem.
Amatewasu
commented
1 year ago @lforst The issue is fixed in my app. Thanks a lot!
timkelty
commented
1 year ago @lforst This has fixed the CORS errors for me, but I now get:
Refused to execute script from 'https://sentry.io/api/embed/error-page/?dsn=https://1d71f704d08d4bad95a66d041a087279@o4505162248945664.ingest.sentry.io/4505517755138048&isTrusted=true&_vts=1690860543286&eventId=undefined&pointerId=1&width=1&height=1&pressure=0&tiltX=0&tiltY=0&azimuthAngle=0&altitudeAngle=1.5707963267948966&tangentialPressure=0&twist=0&pointerType=mouse&isPrimary=false&getCoalescedEvents=function%20getCoalescedEvents()%20%7B%20%5Bnative%20code%5D%20%7D&getPredictedEvents=function%20getPredictedEvents()%20%7B%20%5Bnative%2...5Bobject%20SVGSVGElement%5D&returnValue=true&cancelBubble=false&NONE=0&CAPTURING_PHASE=1&AT_TARGET=2&BUBBLING_PHASE=3&composedPath=function%20composedPath()%20%7B%20%5Bnative%20code%5D%20%7D&initEvent=function%20initEvent()%20%7B%20%5Bnative%20code%5D%20%7D&preventDefault=function%20preventDefault()%20%7B%20%5Bnative%20code%5D%20%7D&stopImmediatePropagation=function%20stopImmediatePropagation()%20%7B%20%5Bnative%20code%5D%20%7D&stopPropagation=function%20stopPropagation()%20%7B%20%5Bnative%20code%5D%20%7D' because its MIME type ('application/json') is not executable, and strict MIME type checking is enabled.… I believe because of the nosniff headers being returned.
It looks like that has been previously reported here: https://github.com/getsentry/sentry-javascript/issues/1439
lforst
commented
1 year ago @timkelty this seems to be a different problem. Do you mind creating a different issue with reproduction steps? Thank you!
timkelty
commented
1 year ago @lforst done – https://github.com/getsentry/sentry-javascript/issues/8707
HansAarneLiblik
commented
1 year ago @lforst I'm a bit confused.
23.3.1@sentry/react from version 7.57.0 to now 7.61.0And now i'm faced with this CORS error.
Access to script at 'https://\my-sentry-server>/api/embed/error-page/?dsn=https://\<key>@\<my-sentry-server/2&eventId=456a47141e2c4ecda4c2145f3aaaddb9&name=\
&email=\ ' from origin 'https://\ ' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Is my only solution to ALSO upgrade my Sentry server?
lforst
commented
1 year ago Is my only solution to ALSO upgrade my Sentry server?
@HansAarneLiblik yes
Environment
SaaS (https://sentry.io/)
Steps to Reproduce
Cross-Origin-Opener-Policy: same-originandCross-Origin-Embedder-Policy: require-corp)Sentry.showReportDialogAccess-Control-Allow-Origin: *for example)Expected Result
Actual Result
The request is blocked by the browser:
"GET https://o1127159.ingest.sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=71e2f933bbb84e07828a4e6ed073ca34&title=Report%20an%20issue&name=NAME OF THE USER*&email=EMAIL OF THE USERnet::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 302"For your information, following the previously mentioned error, I tried to hijack by inserting directly the Sentry's loaded script with the following piece of code:
but the request is also blocked by the browser:
Access to script at 'https://sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=b8b588b0bb014590adfb6f93de24550f&title=Report%20an%20issue&name=undefined&email=undefined' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. GET https://sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=b8b588b0bb014590adfb6f93de24550f&title=Report%20an%20issue&name=undefined&email=undefined net::ERR_FAILED 200 (OK)Product Area
User Feedback
Link
(can be provided on request but is not publicly available)
DSN
https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371
Version
No response