search

getsentry / team-ospo

Open Source Program Office (OSPO)
https://open.sentry.io/
11 stars 1 forks source link

Collect CSP violations from the field #132

Open chadwhitacre opened 1 year ago

chadwhitacre commented 1 year ago

@oioki is proposing in https://github.com/getsentry/sentry/pull/47980 to add a minimal CSP implementation for self-hosted. Do we want to collect these from the field?

The consent we have from some users would cover this as a case of "runtime errors":

Would you be willing to let us automatically send data about your instance upstream to Sentry for development and debugging purposes?

  • OS username
  • IP address
  • install log
  • runtime errors
  • performance data

I like the idea of starting to collect runtime errors from the field. It's a direction I'd like to move in to a) use our own product more and b) better understand pain points so we can improve the product experience for our users.

A few questions:

  1. What is the expected volume of reports? Can our self-hosted dogfood instance handle it w/o modification? 1 Do we expect self-hosted users to want to change the default configuration in the normal case?
  2. Do we expect arbitrary resources to be loaded via some sort of user-generated content? Or do we expect that we are in complete control of the resources that might get loaded? Or ... ?
chadwhitacre commented 1 year ago

@oioki I assume this is you. :o)

oioki commented 1 year ago
  1. If misconfigured, the volume of CSP reports could be quite high, depending on how many visitors a Sentry instance has. Could be millions per day or more. But even if configured correctly, there could be a lot of violations that are generated by browser plugins and other mysterious forces. If we (ever) start to collect CSP reports from field, the bigger problem is that we really don't have much control over the source, i.e. we can't disable CSP reporting on remote. Somehow good news, django-csp allows throttling of reports. For example, we can collect only 1% of all CSP violations.
  2. I don't think self-hosted users will have to change (extend) the default configuration unless they have some customizations of the Sentry code.
  3. That's good question, we need to figure this out.
chadwhitacre commented 1 year ago

django-csp allows throttling of reports

Seems of limited utility if it is set on instances in the field, long cycle to change the threshold if needed (assuming I understand this right).