New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
All calls to /envelope blocked by CSRF #598
Comments
/envelope
blocked by CSRF
edit: nvm; should be caught be the |
update: this may be unrelated to onpremise, but instead some k8s ingress config. Feel free to ignore for now; will post back here after we've done some investigation on our end. |
I was able to use performance with the current on-premise setup so I think this is related to your k8s setup as you mentioned. Closing for now but I'll reopen if it turns out there's something we need to fix. |
@walkerdb i am seeing the same issue while trying to upgrade to latest release
Can you share what config change helped you in fixing the issue. Thank you. |
@chhetripradeep we're using sentry-kubernetes helm charts for deploying, and we believe we ran into this issue because they don't yet have relay support. There's a PR in the works that we think will fix our issue here: sentry-kubernetes/charts#130 If you're not using those then you may need to manually make sure you have relay running and configured correctly. But generally at least for us it's unrelated to this on-premise repo. |
Hi @walkerdb thank you for your quick response. We have our own internal helm chart which doesnt use relay. Is relay a mandatory component now ? My understanding was that it was an optional component. |
@chhetripradeep My understanding is that as of sentry v20.7 some details of how sentry manages CSRF changed internally. It works correctly when using relay, but if you're using something like a k8s nginx ingress point you may be able to get it working with the right config tweaking. Not sure what that would need to be. |
versions involved:
organizations:performance-view
@sentry/react
and@sentry/apm
, both at 5.19.1From the browser, requests to
api/[project-id]/store
for js errors work fine. However, perf tracing requests toapi/[project-id]/envelope
fail with a 403. The 403 response has some html about a CSRF token not being set:From the outside it seems like the request validation path for the two endpoints are different. Is there additional config we need to set on our end for this to work, or is the issue somewhere else? Is the JS lib supposed to have some communication from the backed to get a CSRF token before sending the
/envelope
requests?our browser config:
The text was updated successfully, but these errors were encountered: