Allows cors on ingest.sentry.io

[Amatewasu]

Environment

SaaS (https://sentry.io/)

Steps to Reproduce

1. Add same origin headers (Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: require-corp)
2. Call Sentry.showReportDialog
3. The request is blocked by the browser because it lacks cors headers on the server (Access-Control-Allow-Origin: * for example)
4. The user feedback dialog is therefore not shown to the user

Expected Result

• Not block the request
• Display the user feedback dialog to the user

Actual Result

The request is blocked by the browser:
"GET https://o1127159.ingest.sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=71e2f933bbb84e07828a4e6ed073ca34&title=Report%20an%20issue&name=NAME OF THE USER*&email=EMAIL OF THE USERnet::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 302"

For your information, following the previously mentioned error, I tried to hijack by inserting directly the Sentry's loaded script with the following piece of code:

const scriptSentryId = 'sentry-error-embed';
const scriptSentryEls = document.querySelectorAll(`#${scriptSentryId}`);
scriptSentryEls.forEach((scriptSentryEl) => {
  if (scriptSentryEl instanceof HTMLElement) {
    scriptSentryEl.remove();
  }
});

const username = profile && 'name' in profile ? profile.name : undefined;
const email = profile && 'email' in profile ? profile.email : undefined;
const urlSentryReport = `https://sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=${event.event_id}&title=Report%20an%20issue&name=${username}&email=${email}`;
const scriptShowReportDialog = document.createElement('script');
scriptShowReportDialog.id = scriptSentryId;
scriptShowReportDialog.type = 'text/javascript';
scriptShowReportDialog.async = true;
scriptShowReportDialog.crossOrigin = 'anonymous';
scriptShowReportDialog.referrerPolicy = 'no-referrer';
scriptShowReportDialog.src = urlSentryReport;
document.body.appendChild(scriptShowReportDialog);

but the request is also blocked by the browser:
Access to script at 'https://sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=b8b588b0bb014590adfb6f93de24550f&title=Report%20an%20issue&name=undefined&email=undefined' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. GET https://sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=b8b588b0bb014590adfb6f93de24550f&title=Report%20an%20issue&name=undefined&email=undefined net::ERR_FAILED 200 (OK)

Product Area

User Feedback

Link

(can be provided on request but is not publicly available)

DSN

https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371

Version

No response

[getsantry]

Assigning to @getsentry/support for routing, due by Wednesday, May 10th at 5:00 pm (sfo). ⏲️

[lforst]

I think we need relay to return Access-Control-Allow-Origin: * for this endpoint.

[lforst]

cc @jernejstrasner

[jjbayer]

Looks like a problem with the /api/embed/error-page/ endpoint, not a relay issue.

[lforst]

@jjbayer Damn I thought we served this over relay. Routing to sentry then.

[JoshFerge]

seems like we need to add Cross-Origin-Resource-Policy: cross-origin to our error page response

sentry/src/sentry/web/frontend/error_page_embed.py

Line 230 in 7d84829

return render_to_response(

, but need to do more digging on what's correct / implications. https://web.dev/why-coop-coep/

[getsantry]

Failed to route for Product Area: Other. Defaulting to @getsentry/open-source for triage, due by Thursday, May 25th at 12:09 pm (sea). ⏲️

[getsantry]

Routing to @getsentry/product-owners-user-feedback for triage, due by Friday, May 26th at 9:58 am (sfo). ⏲️

[Amatewasu]

Hello, do you have any updates regarding this issue? Thank you!

[lforst]

Just opened a PR to fix this #51138

[Amatewasu]

Thank you a lot for the work!

By any chance, do you know when this change will be live?

[lforst]

@Amatewasu do you mind sharing the full URL inside the first error?

I am a bit weirded out because we are setting the Access-Control-Allow-Origin header in any case to * now...

[lforst]

@Amatewasu another question. Is this happening inside an iframe?

[Amatewasu]

@Amatewasu do you mind sharing the full URL inside the first error?

Sure, I have sent you an email.

I am a bit weirded out because we are setting the Access-Control-Allow-Origin header in any case to * now...

It looks like all the https://o1127159.ingest.sentry.io/api/6417371/envelope/?sentry_key=* requests have properly the Access-Control-Allow-Origin header but not the request https://o1127159.ingest.sentry.io/api/embed/error-page/?dsn=....

@Amatewasu another question. Is this happening inside an iframe?

It is not happening inside an iframe. :)

[Amatewasu]

@Amatewasu do you mind sharing the full URL inside the first error?

The full URL is: https://o1127159.ingest.sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=ca9ebacd763e4ca99bb0032b7ba2742d&title=Report%20an%20issue&name=Alexis%20DELRIEU&email=alexis.delrieu%40balyo.com

[robert-king]

"@sentry/angular-ivy": "^7.59.2",
"@sentry/cli": "^2.19.4",
"@sentry/webpack-plugin": "^2.4.0",

this was testing from localhost i think. (http to https).

[HansAarneLiblik]

@lforst Our self-hosted sentry is on version 23.3.1. If I remember correctly, we can't upgrade to the next version without upgrading our postgres database before

[timkelty]

@lforst I am experiencing the same CORS error with the /api/embed/error-page/, meaning I can't get User Feedback working at all.

Normal sentry reporting is working, but CORS errors occur when attempting to call Sentry.showReportDialog()

Details:

• URL: https://o4505162248945664.ingest.sentry.io/api/embed/error-page/?dsn=https://1d71f704d08d4bad95a66d041a087279@o4505162248945664.ingest.sentry.io/4505517755138048&eventId=077c1b8eb117497fb739bb7a86d575e7
• package versions (just updated):
  • @sentry/vue@7.60.1
  • @sentry/browser@7.60.1
• inside iframe: no
• Project -> Allowed Domains in Sentry dashboard has my domain added.

It looks like the failed request is a 302, which doesn't have an Access-Control-Allow-Origin…

[timkelty]

UPDATE – @lforst I think the issue is indeed the redirect response missing the Access-Control-Allow-Origin header. As a test, I replaced the URL with the https://sentry.io domain it was 302ing to and the request worked.

[kerenkhatiwada]

@lforst Sharing the ZD ticket @timkelty has wrote in case it is needed.

[chadwhitacre]

Reopening since this seems to be ongoing.

[roggenkemper]

@lforst

[lforst]

Hi, there is currently a deploy to Sentry going out that will attach a Access-Control-Allow-Origin: * header to the redirect response coming from *.ingest.sentry.io.

In my test app, this finally fixed the issue. Feel free to let me know in case this still seems to be a problem.

[Amatewasu]

@lforst The issue is fixed in my app. Thanks a lot!

[timkelty]

@lforst This has fixed the CORS errors for me, but I now get:

Refused to execute script from 'https://sentry.io/api/embed/error-page/?dsn=https://1d71f704d08d4bad95a66d041a087279@o4505162248945664.ingest.sentry.io/4505517755138048&isTrusted=true&_vts=1690860543286&eventId=undefined&pointerId=1&width=1&height=1&pressure=0&tiltX=0&tiltY=0&azimuthAngle=0&altitudeAngle=1.5707963267948966&tangentialPressure=0&twist=0&pointerType=mouse&isPrimary=false&getCoalescedEvents=function%20getCoalescedEvents()%20%7B%20%5Bnative%20code%5D%20%7D&getPredictedEvents=function%20getPredictedEvents()%20%7B%20%5Bnative%2...5Bobject%20SVGSVGElement%5D&returnValue=true&cancelBubble=false&NONE=0&CAPTURING_PHASE=1&AT_TARGET=2&BUBBLING_PHASE=3&composedPath=function%20composedPath()%20%7B%20%5Bnative%20code%5D%20%7D&initEvent=function%20initEvent()%20%7B%20%5Bnative%20code%5D%20%7D&preventDefault=function%20preventDefault()%20%7B%20%5Bnative%20code%5D%20%7D&stopImmediatePropagation=function%20stopImmediatePropagation()%20%7B%20%5Bnative%20code%5D%20%7D&stopPropagation=function%20stopPropagation()%20%7B%20%5Bnative%20code%5D%20%7D' because its MIME type ('application/json') is not executable, and strict MIME type checking is enabled.

… I believe because of the nosniff headers being returned.

It looks like that has been previously reported here: getsentry/sentry-javascript#1439

[lforst]

@timkelty this seems to be a different problem. Do you mind creating a different issue with reproduction steps? Thank you!

[timkelty]

@lforst done – getsentry/sentry-javascript#8707

[HansAarneLiblik]

@lforst I'm a bit confused.

• My self-hosted Sentry server was always at the same version 23.3.1
• Tried to upgrade my @sentry/react from version 7.57.0 to now 7.61.0

And now i'm faced with this CORS error.

Access to script at 'https://<my-sentry-server>/api/embed/error-page/?dsn=https://<key>@<my-sentry-server>/2&eventId=456a47141e2c4ecda4c2145f3aaaddb9&name=<name>&email=<email>' from origin 'https://<my-client>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Is my only solution to ALSO upgrade my Sentry server?

[lforst]

Is my only solution to ALSO upgrade my Sentry server?

@HansAarneLiblik yes