Allows cors on ingest.sentry.io

[Amatewasu]

Environment

SaaS (https://sentry.io/)

Steps to Reproduce

1. Add same origin headers (Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: require-corp)
2. Call Sentry.showReportDialog
3. The request is blocked by the browser because it lacks cors headers on the server (Access-Control-Allow-Origin: * for example)
4. The user feedback dialog is therefore not shown to the user

Expected Result

• Not block the request
• Display the user feedback dialog to the user

Actual Result

The request is blocked by the browser:
"GET https://o1127159.ingest.sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=71e2f933bbb84e07828a4e6ed073ca34&title=Report%20an%20issue&name=NAME OF THE USER*&email=EMAIL OF THE USERnet::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 302"

For your information, following the previously mentioned error, I tried to hijack by inserting directly the Sentry's loaded script with the following piece of code:

const scriptSentryId = 'sentry-error-embed';
const scriptSentryEls = document.querySelectorAll(`#${scriptSentryId}`);
scriptSentryEls.forEach((scriptSentryEl) => {
  if (scriptSentryEl instanceof HTMLElement) {
    scriptSentryEl.remove();
  }
});

const username = profile && 'name' in profile ? profile.name : undefined;
const email = profile && 'email' in profile ? profile.email : undefined;
const urlSentryReport = `https://sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=${event.event_id}&title=Report%20an%20issue&name=${username}&email=${email}`;
const scriptShowReportDialog = document.createElement('script');
scriptShowReportDialog.id = scriptSentryId;
scriptShowReportDialog.type = 'text/javascript';
scriptShowReportDialog.async = true;
scriptShowReportDialog.crossOrigin = 'anonymous';
scriptShowReportDialog.referrerPolicy = 'no-referrer';
scriptShowReportDialog.src = urlSentryReport;
document.body.appendChild(scriptShowReportDialog);

but the request is also blocked by the browser:
Access to script at 'https://sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=b8b588b0bb014590adfb6f93de24550f&title=Report%20an%20issue&name=undefined&email=undefined' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. GET https://sentry.io/api/embed/error-page/?dsn=https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371&eventId=b8b588b0bb014590adfb6f93de24550f&title=Report%20an%20issue&name=undefined&email=undefined net::ERR_FAILED 200 (OK)

Product Area

User Feedback

Link

(can be provided on request but is not publicly available)

DSN

https://8f845bb769e24d9eb37a25bfd63b9c96@o1127159.ingest.sentry.io/6417371

Version

No response

[getsantry]

Assigning to @getsentry/support for routing, due by Wednesday, May 10th at 5:00 pm (sfo). ⏲️

[lforst]

I think we need relay to return Access-Control-Allow-Origin: * for this endpoint.

[lforst]

cc @jernejstrasner

[jjbayer]

Looks like a problem with the /api/embed/error-page/ endpoint, not a relay issue.

[lforst]

@jjbayer Damn I thought we served this over relay. Routing to sentry then.

[JoshFerge]

seems like we need to add Cross-Origin-Resource-Policy: cross-origin to our error page response

sentry/src/sentry/web/frontend/error_page_embed.py

Line 230 in 7d84829

return render_to_response(

, but need to do more digging on what's correct / implications. https://web.dev/why-coop-coep/