sentry-javascript: 7.17.1 attaching baggage header to third-party requests breaking CORS policies

Is there an existing issue for this?

I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
I have reviewed the documentation https://docs.sentry.io/
I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which package are you using?

@sentry/react

SDK Version

7.17.1

Framework Version

React 16.x

Link to Sentry event

No response

Steps to Reproduce

Our app was running fine using sentry/tracing 7.16.0 We deployed new code with sentry/tracing 7.17.1 A bunch of third party requests started failing with CORS errors: blocked by CORS policy: Request header field baggage is not allowed by Access-Control-Allow-Headers in preflight response. We roll back to previous version, errors go away

in our test environment, with Sentry enabled and sentry/tracing at 7.17.1, CORS errors on third party requests to services on other domains that we don’t control with Sentry disabled, everything is fine with Sentry/tracing on 7.16.0 and enabled, everything is fine

Expected Result

No CORS errors on third-party requests, no baggage header attached to third party requests

Actual Result

request has been blocked by CORS policy: Request header field baggage is not allowed by Access-Control-Allow-Headers in preflight response.

I have to assume this was caused by https://github.com/getsentry/sentry-javascript/pull/6039 We use default tracing config

        new TracingIntegrations.BrowserTracing(),

Which according to the docs: https://docs.sentry.io/platforms/javascript/performance/instrumentation/automatic-instrumentation/#tracingorigins should only impact calls to localhost and the same domain/origin as the page, but this does not seem to be happening

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 5
Comments: 38 (15 by maintainers)

Commits related to this issue

fix(tracing): Fix `tracingOrigins` not applying (#6079) In the process of working on https://github.com/getsentry/sentry-javascript/issues/5285, we missed the fact that the first two PRs (https://git... — committed to getsentry/sentry-javascript by lobsterkatie 2 years ago
Fix Sentry baggage header causing Network Error... https://github.com/getsentry/sentry-javascript/issues/6077 — committed to amcsi/lycee-overture by amcsi a year ago

Most upvoted comments

Hi @redbugz,

we just released version 7.17.2 with a fix for this bug.

Lms24 on Oct 28, 2022

@Lms24 everything is ok, it works. Thanks!

Archi4400 on Nov 28, 2022

Tenemos este error incluso con 7.61.1. Lo arreglamos agregando:
new Sentry.BrowserTracing({
      traceFetch: false
})
Para evitar fetchque se rastreen las llamadas (de ahí la adición de los encabezados).
Isn’t the normal operation supposed to be to track calls?

I thought the same until I read the type declarations:

/**
     * Flag to disable patching all together for fetch requests.
     *
     * Default: true
     */
    traceFetch: boolean;

lopsum-me on Aug 4, 2023

We got this error even with 7.61.1. We fixed it by adding:

new Sentry.BrowserTracing({
      traceFetch: false
})

To prevent fetch calls for being traced (hence adding the headers).

lopsum-me on Aug 4, 2023

diegobejardelaguila

fixed, the following additional headers should be added in backend:

‘baggage’, ‘sentry-trace’… You must add all the headers that request sentinel or those that exit in error that are being blocked to the backend.

diegobejardelaguila on Aug 4, 2023

Here, trying to integrate sentry with next js 12. It happens to me that when installing sentry it generates this error:

Access to XMLHttpRequest at ‘http://localhost:1337/api/auth/local’ from origin ‘http://localhost:3000’ has been blocked by CORS policy: Request header field baggage is not allowed by Access-Control-Allow-Headers in preflight response.

// This file configures the initialization of Sentry on the client.
// The config you add here will be used whenever a users loads a page in their browser.
// https://docs.sentry.io/platforms/javascript/guides/nextjs/

import * as Sentry from "@sentry/nextjs";

Sentry.init({
  dsn: `${process.env.dsnSentry}`,

  // Adjust this value in production, or use tracesSampler for greater control
  tracesSampleRate: 1.0,

  // Setting this option to true will print useful information to the console while you're setting up Sentry.
  debug: false,

  replaysOnErrorSampleRate: 1.0,

  // This sets the sample rate to be 10%. You may want this to be 100% while
  // in development and sample at a lower rate in production
  replaysSessionSampleRate: 0.1,

  // You can remove this option if you're not planning to use the Sentry Session Replay feature:
  integrations: [
    new Sentry.Replay({
      // Additional Replay configuration goes in here, for example:
      maskAllText: true,
      blockAllMedia: true,
    })
  ],
});

now when I add BrowserTracing, it works correctly for me only when logging in but the rest of the endpoints again get the same error cors

integrations: [
    new BrowserTracing({ tracingOrigins: ["*"] }),
    new Sentry.Replay({
      // Additional Replay configuration goes in here, for example:
      maskAllText: true,
      blockAllMedia: true,
    })
  ],

diegobejardelaguila on Jul 21, 2023

I tried disabling traceFetch and traceXHR to fix this. According to the docs for those options it should have.

So what do I have to do to stop Sentry from modifying my requests altogether?

waynebloss on Jan 18, 2023

Hi @Archi4400 we released 7.21.0 with the fix. The issue was auto-closed after merging it. Let me know if tracePropagationTargets now work for you. Thanks!

Lms24 on Nov 23, 2022

but tracingOrigins works for me, why is that?

Archi4400 on Nov 22, 2022