Closed Amatewasu closed 1 year ago
Assigning to @getsentry/support for routing, due by (sfo). ⏲️
I think we need relay to return Access-Control-Allow-Origin: * for this endpoint.
cc @jernejstrasner
Looks like a problem with the /api/embed/error-page/
endpoint, not a relay issue.
@jjbayer Damn I thought we served this over relay. Routing to sentry then.
seems like we need to add Cross-Origin-Resource-Policy: cross-origin
to our error page response https://github.com/getsentry/sentry/blob/7d84829c2111305cd220b9ef1d482964b7bb45ad/src/sentry/web/frontend/error_page_embed.py#L230 , but need to do more digging on what's correct / implications. https://web.dev/why-coop-coep/
Failed to route for Product Area: Other. Defaulting to @getsentry/open-source for triage, due by (sea). ⏲️
Routing to @getsentry/product-owners-user-feedback for triage, due by (sfo). ⏲️
Hello, do you have any updates regarding this issue? Thank you!
Just opened a PR to fix this https://github.com/getsentry/sentry/pull/51138
Thank you a lot for the work!
By any chance, do you know when this change will be live?
@Amatewasu It is live since two weeks. Are you still facing problems?
@lforst I just tested and I am still facing the issue.
In my JS browser console:
main.48957e68.js:2 GET https://o1127159.ingest.sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=e192e042fadc4ef7913fc88bef551dbc&title=Report%20an%20issue&name=`my_first_name%20my_last_name&email=my%40email.com net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 302
And in the network tab:
So it looks like there is no Cross-Oirigin-Resource-Policy
header?
Ah interesting, I thought this is implicitly gonna be resolved by setting an Access-Control-Allow-Origin
header.
Seems like we also need to add a Cross-Oirigin-Resource-Policy: cross-origin
header.
~Wait actually, shouldn't this be fixed by just setting a crossorigin
attribute on the embedded script tag? I can see in your code snippet that you set crossOrigin = 'anonymous'
which looks like a typo.~
Nevermind that seems to be the JS api for that.
@lforst Thank you for your answer. I just saw the PR you opened two weeks ago. I guess it is live now? (i am still facing the same issue)
I got the same error I think when trying to showDialog
{ provide: ErrorHandler, useValue: Sentry.createErrorHandler({ showDialog: true, }), },
making showDialog: false fixes the error.
Access to script at 'https://o4505552496230400.ingest.sentry.io/api/embed/error-page/?dsn=https://721c9e37a0cd4a0e9412190604008a89@o4505552496230400.ingest.sentry.io/4505552757719040&eventId=e163e6e38ab34d9f830e145d7eb7c644' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
@lforst Upgrading from @sentry/react
v7.57.0 to v7.58.1 (Where this fix(?) is included) our Sentry integration started to fail and I'm guessing these are related
Issue is present in Sentry but no ErrorDialog is presented to the user
Access to script at 'https://\my-sentry\>/api/embed/error-page/?dsn=https://\<sentry-key\>@\<my-sentry\/2&eventId=efc303799d1844d4bab7128fb52be69a&name=\<username>&email=\<email>' from origin 'https://\<my-application>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This is how we're init'ing our Sentry
import * as Sentry from '@sentry/react';
Sentry.init({
dsn: config.sentry_dsn,
environment: config.environment,
release: config.version,
ignoreErrors: ['Request aborted'],
autoSessionTracking: false,
initialScope: {
user: {...config.user, name: config.user.username},
},
});
@Amatewasu Did you upgrade to the newest SDK version?
@robert-king What SDK version are you on?
@HansAarneLiblik what self-hosted version are you on?
@lforst I did not. Here's my current package.json:
"@sentry/cli": "^2.7.0",
"@sentry/integrations": "^7.16.0",
"@sentry/react": "^7.16.0",
"@sentry/rrweb": "^0.3.3",
"@sentry/tracing": "^7.16.0",
I will update the SDK and let you know about the result. Thanks!
@lforst I just updated my package.json and tested on an online development environment and I still get the issue.
Here's the screenshot of the error:
My new package.json (of course I've ran npm install
after the update):
"@sentry/cli": "2.19.4",
"@sentry/integrations": "^7.60.0",
"@sentry/react": "^7.60.0",
"@sentry/rrweb": "^0.3.3",
"@sentry/tracing": "^7.60.0",
(I can give you access to the page to reproduce if needed)
@Amatewasu do you mind sharing the full URL inside the first error?
I am a bit weirded out because we are setting the Access-Control-Allow-Origin
header in any case to *
now...
@Amatewasu another question. Is this happening inside an iframe?
@Amatewasu do you mind sharing the full URL inside the first error?
Sure, I have sent you an email.
I am a bit weirded out because we are setting the
Access-Control-Allow-Origin
header in any case to*
now...
It looks like all the https://o1127159.ingest.sentry.io/api/6417371/envelope/?sentry_key=*
requests have properly the Access-Control-Allow-Origin
header but not the request https://o1127159.ingest.sentry.io/api/embed/error-page/?dsn=...
.
@Amatewasu another question. Is this happening inside an iframe?
It is not happening inside an iframe. :)
@Amatewasu do you mind sharing the full URL inside the first error?
The full URL is: https://o1127159.ingest.sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=ca9ebacd763e4ca99bb0032b7ba2742d&title=Report%20an%20issue&name=Alexis%20DELRIEU&email=alexis.delrieu%40balyo.com
"@sentry/angular-ivy": "^7.59.2", "@sentry/cli": "^2.19.4", "@sentry/webpack-plugin": "^2.4.0",
this was testing from localhost i think. (http to https).
@lforst Our self-hosted sentry is on version 23.3.1. If I remember correctly, we can't upgrade to the next version without upgrading our postgres database before
@lforst I am experiencing the same CORS error with the /api/embed/error-page/
, meaning I can't get User Feedback working at all.
Normal sentry reporting is working, but CORS errors occur when attempting to call Sentry.showReportDialog()
Details:
Project -> Allowed Domains
in Sentry dashboard has my domain added.It looks like the failed request is a 302, which doesn't have an Access-Control-Allow-Origin
…
UPDATE – @lforst I think the issue is indeed the redirect response missing the Access-Control-Allow-Origin
header. As a test, I replaced the URL with the https://sentry.io
domain it was 302ing to and the request worked.
@lforst Sharing the ZD ticket @timkelty has wrote in case it is needed.
Reopening since this seems to be ongoing.
@lforst
Hi, there is currently a deploy to Sentry going out that will attach a Access-Control-Allow-Origin: *
header to the redirect response coming from *.ingest.sentry.io
.
In my test app, this finally fixed the issue. Feel free to let me know in case this still seems to be a problem.
@lforst The issue is fixed in my app. Thanks a lot!
@lforst This has fixed the CORS errors for me, but I now get:
Refused to execute script from 'https://sentry.io/api/embed/error-page/?dsn=https://1d71f704d08d4bad95a66d041a087279@o4505162248945664.ingest.sentry.io/4505517755138048&isTrusted=true&_vts=1690860543286&eventId=undefined&pointerId=1&width=1&height=1&pressure=0&tiltX=0&tiltY=0&azimuthAngle=0&altitudeAngle=1.5707963267948966&tangentialPressure=0&twist=0&pointerType=mouse&isPrimary=false&getCoalescedEvents=function%20getCoalescedEvents()%20%7B%20%5Bnative%20code%5D%20%7D&getPredictedEvents=function%20getPredictedEvents()%20%7B%20%5Bnative%2...5Bobject%20SVGSVGElement%5D&returnValue=true&cancelBubble=false&NONE=0&CAPTURING_PHASE=1&AT_TARGET=2&BUBBLING_PHASE=3&composedPath=function%20composedPath()%20%7B%20%5Bnative%20code%5D%20%7D&initEvent=function%20initEvent()%20%7B%20%5Bnative%20code%5D%20%7D&preventDefault=function%20preventDefault()%20%7B%20%5Bnative%20code%5D%20%7D&stopImmediatePropagation=function%20stopImmediatePropagation()%20%7B%20%5Bnative%20code%5D%20%7D&stopPropagation=function%20stopPropagation()%20%7B%20%5Bnative%20code%5D%20%7D' because its MIME type ('application/json') is not executable, and strict MIME type checking is enabled.
… I believe because of the nosniff
headers being returned.
It looks like that has been previously reported here: https://github.com/getsentry/sentry-javascript/issues/1439
@timkelty this seems to be a different problem. Do you mind creating a different issue with reproduction steps? Thank you!
@lforst done – https://github.com/getsentry/sentry-javascript/issues/8707
@lforst I'm a bit confused.
23.3.1
@sentry/react
from version 7.57.0
to now 7.61.0
And now i'm faced with this CORS error.
Access to script at 'https://\my-sentry-server>/api/embed/error-page/?dsn=https://\<key>@\<my-sentry-server/2&eventId=456a47141e2c4ecda4c2145f3aaaddb9&name=\
&email=\ ' from origin 'https://\ ' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Is my only solution to ALSO upgrade my Sentry server?
Is my only solution to ALSO upgrade my Sentry server?
@HansAarneLiblik yes
Environment
SaaS (https://sentry.io/)
Steps to Reproduce
Cross-Origin-Opener-Policy: same-origin
andCross-Origin-Embedder-Policy: require-corp
)Sentry.showReportDialog
Access-Control-Allow-Origin: *
for example)Expected Result
Actual Result
The request is blocked by the browser:
"GET https://o1127159.ingest.sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=71e2f933bbb84e07828a4e6ed073ca34&title=Report%20an%20issue&name=NAME OF THE USER*&email=EMAIL OF THE USERnet::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 302"
For your information, following the previously mentioned error, I tried to hijack by inserting directly the Sentry's loaded script with the following piece of code:
but the request is also blocked by the browser:
Access to script at 'https://sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=b8b588b0bb014590adfb6f93de24550f&title=Report%20an%20issue&name=undefined&email=undefined' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. GET https://sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=b8b588b0bb014590adfb6f93de24550f&title=Report%20an%20issue&name=undefined&email=undefined net::ERR_FAILED 200 (OK)
Product Area
User Feedback
Link
(can be provided on request but is not publicly available)
DSN
https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371
Version
No response