Reporting-API (Reporting-Endpoints) support #38940
Comments
|
CC @bhollis |
|
Hey! We do support the Reporting API via ReportingObservers, but the headers sounds super interesting. We already support a variety of headers for security reporting, and I think it would be good for us to support This requires changes to the Sentry product and Relay (our event ingestion system) - so I'll transfer this GH issue to that repo! |
|
Routing to @getsentry/ingest for triage. ⏲️ |
|
Thanks @bkotsopoulossc for reporting this! This does sound like something Sentry will support eventually. We will discuss it internally and get back to you. |
|
That is awesome! I didn’t even realize the JS API existed. The main value I see with the header based API is for crashes. I imagine that if a browser tab crashes, it would be challenging for the browser to fire the report to a URL registered through JS. Even though the docs for the JS one mention supporting crashes, they say “and crash (although this last type usually isn't retrievable via a ReportingObserver”. Does that line up with what you’d expect as well? |
Yup, crashes are probably the most useful thing we'd get here if we instrument this - it'll unlock a whole category of issues that previously weren't visible because we rely on JS to be running on the page. For others who are following along, you can do this yourself while you wait for Sentry to build out a 1st class solution. You would:
So you would try mapping the report API format -> a Sentry event, and then sending that Sentry event to Sentry! |
|
I love that idea! We were thinking of building a custom UI to view these events that we infest on our server but sending right back to our sentry project sounds way better! |
|
Alright some additional context when we eventually take this on. We probably want to skip out on using There is also Network Error Logging, which isn't supported by
We can just wait till that new mechanism is decided and use that! Some internal links for Sentry folks - sorry open source people this has Sentry Saas customer info so we can't share them publicly. https://getsentry.atlassian.net/browse/FEEDBACK-251 - feedback ticket about https://sentry.zendesk.com/agent/tickets/15696 - |
danielkhan
assigned smeubank and AbhiPrasad and unassigned danielkhan, ale-cota and smeubank
|
@AbhiPrasad and @smeubank please start product discovery and pick up the existing threads on this topic as well. |
|
excuse me while I post here some musings around CSP reporting and related :) CSP has come up in a number of different places and I believe could stand for a more holistic approach to understanding the problem space and how best to surface them to users and enable devs to use more of Sentry to make CSP events more actionable. Meaning SDK and Sentry product work Some of these links are surely conflated, the problem space needs to be mapped out better (I need to understand it better :) ) to understand what needs to be improved from the perspective of:
|
|
@AbhiPrasad @smeubank Are you actively working on this issue? Can we remove assignees? |
|
We are not actively working on this, will remove. |
|
@danielkhan Any intentions for Sentry to put this on the roadmap somewhere soon? Right now we're building a separate lambda as per the workaround. But we have issues with Sentry marking the events originating from the lambda, instead of from the client itself. |
|
Hm, not sure if there's a good product area that this should belong to, |
|
Looks like @danielkhan is out of office. @AbhiPrasad or @smeubank, would either of you be able to answer the question? |
|
This is a little unowned right now, but we can figure that out.
@guidobouman do you mind describing this workaround and what you are doing with the lambda? How is that related to the reporting API? |
|
I am assigning this to me for now. Let's clarify the Lambda use case as @AbhiPrasad suggested. I will discuss this with @smeubank. |
|
As the Reporting API is not yet supported with the ingestion endpoints, we've created our own minimal endpoint in which we receive the reports and manually send that into Sentry as a workaround. It's not a bug, just a feature request, so we don't have to maintain our own custom reporting endpoint. |
|
Basically we've implemented the workaround from @AbhiPrasad's message:
One minor problem we run into is the origin of those events. |
We've managed to impersonate the other project from our service, and can now send events into sentry on behalf of another project. Still, it's a manual proxy implementation, and would prefer to actually use the Sentry reporting endpoint when possible. |
Problem Statement
Chrome 96 supports a new reporting API for CSP violations and other bad things. Is Sentry considering supporting this? Having a way to ingest and display these reports?
https://web.dev/reporting-api/
Solution Brainstorm
This could be similar to how sentry supports the
report-uridirective, with thesentry.io/api/security/endpointThe text was updated successfully, but these errors were encountered: