sentry-javascript: Cors issue on capturing exceptions

Review the documentation: https://docs.sentry.io/
Search for existing issues: https://github.com/getsentry/sentry-javascript/issues
Use the latest release: https://github.com/getsentry/sentry-javascript/releases
[] Provide a link to the affected event from your Sentry account

Package + Version

@sentry/react
@sentry/browser
@sentry/node
raven-js
raven-node (raven for node)
[] other:

Version: “@sentry/react”: “^5.22.0”,

0.0.0

Description

I have a simple setup to capture events to sentry, like below

// import * as Sentry from "@sentry/browser"; // same with this package
import * as Sentry from "@sentry/react";
Sentry.init({
  dsn: "https://xxxxxxxxxxxxxxxx@o64130.ingest.sentry.io/1319034",
  release: "my-project-name@" + process.env.npm_package_version,
});

const logError = (error) => {
  Sentry.captureException(error);
};

function App() {
  logError(new Error("from create-react-app"));

  return (
    <div className="App">
      <header className="App-header">
        <img src={logo} className="App-logo" alt="logo" />
        <p>
          Edit <code>src/App.js</code> and save to reload.
        </p>
        <a
          className="App-link"
          href="https://reactjs.org"
          target="_blank"
          rel="noopener noreferrer"
        >
          Learn React
        </a>
      </header>
    </div>
  );
}

but request to sentry ended up being 403 (forbidden) and it’s because of CORS, Any one has same problem ?

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 39 (9 by maintainers)

Commits related to this issue

sentry: try to fix front-end config again! disabling BrowserTracing for now following some tips from https://github.com/getsentry/sentry-javascript/issues/2859#issuecomment-1110236297 — committed to mbta/dotcom by thecristen 2 years ago

Most upvoted comments

I was having this CORS error as well too and it turned out my ad blocker (uBlock Origin on Firefox OSX) was blocking connection to Sentry.

+69

n-a-t-e on Jan 6, 2021

Hi all,

Regarding the CORS envelop problem. I have SDK 6.2.5 and 9.2.1 self-hosted version.

Here’s another solution I managed to find and envelope request no more sending.

Sentry.init({ autoSessionTracking: false, });

+15

vladyc9 on Apr 28, 2021

I’m also experiencing a CORS error for all the “envelope” API calls:

https://sentry.my-domain.com/api/10/envelope/?sentry_key=f3faf208db114e9f2f882f893&sentry_version=7

Those are failing because of CORS:

Access to fetch at ‘https://sentry.my-domain.com/api/10/envelope/?sentry_key=f3faf208db114e9f2f882f893&sentry_version=7’ from origin ‘https://my-domain.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

It works fine for the “store” API calls. I do see the errors on my Sentry project (on sentry.my-domain.com) for API calls like this one:

https://sentry.my-domain.com/api/10/store/?sentry_key=f3faf208db114e9f2f882f893&sentry_version=7

I did add my domain name in the “Allowed Domains” configuration section on sentry.my-domain.com and I could confirm this had an impact on whether or not the “store” API calls reached Sentry. No impact on those “envelope” calls though. For those I have a CORS issue.

+11

cawel on Mar 23, 2021

It appears to be the combination of integrations and tracesSampleRate that’s causing CORS issues, disabling either one of those two seems to resolve. Using latest @Sentry/angular: 6.19.7 and @Sentry/tracing 6.19.7

bitsagarob on Apr 26, 2022

I’m also experiencing a CORS error for all the “envelope” API calls:

https://sentry.my-domain.com/api/10/envelope/?sentry_key=f3faf208db114e9f2f882f893&sentry_version=7

Those are failing because of CORS:

Access to fetch at ‘https://sentry.my-domain.com/api/10/envelope/?sentry_key=f3faf208db114e9f2f882f893&sentry_version=7’ from origin ‘https://my-domain.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

It works fine for the “store” API calls. I do see the errors on my Sentry project (on sentry.my-domain.com) for API calls like this one:

https://sentry.my-domain.com/api/10/store/?sentry_key=f3faf208db114e9f2f882f893&sentry_version=7

I did add my domain name in the “Allowed Domains” configuration section on sentry.my-domain.com and I could confirm this had an impact on whether or not the “store” API calls reached Sentry. No impact on those “envelope” calls though. For those I have a CORS issue.

faced the issue if using SDK 6x with 9x self-hosted sentry downgraded to 5x versions of sdk helped!

mihanizm56 on Mar 23, 2021

Hi, I find the way to solved the cors issue~ the point is don’t use integrations and release option!!!

Sentry.init({
    dsn: my-dsn-sentry,
    tracesSampleRate: 1.0,
    environment: "production",
})

P.S. autoSessionTracking and sendClientReports both sets false aren’t work in my project, I don’t know why…

denise92 on Apr 11, 2022

@mihanizm56 Thanks for feedback. I learned elsewhere that I’m using a too old version of Sentry in my self-hosted configuration.

cawel on Mar 23, 2021

get the same issue with request “type:session”

curl ‘https://sentry-sitemobile.wildberries.ru/api/7/envelope/?sentry_key=blablabla&sentry_version=7’
-H ‘Connection: keep-alive’
-H ‘sec-ch-ua: “Google Chrome”;v=“89”, “Chromium”;v=“89”, “;Not A Brand”;v=“99”’
-H ‘sec-ch-ua-mobile: ?0’
-H ‘User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36’
-H ‘Content-Type: text/plain;charset=UTF-8’
-H ‘Accept: /’
-H ‘Origin: https://ui-root.suppliers-portal-ru.svc.k8s.stage’
-H ‘Sec-Fetch-Site: cross-site’
-H ‘Sec-Fetch-Mode: cors’
-H ‘Sec-Fetch-Dest: empty’
-H ‘Referer: https://ui-root.suppliers-portal-ru.svc.k8s.stage/’
-H ‘Accept-Language: en’
–data-raw $‘{“sent_at”:“2021-03-19T23:43:10.697Z”,“sdk”:{“name”:“sentry.javascript.browser”,“version”:“6.2.2”}}\n{“type”:“session”}\n{“sid”:“blablabla”,“init”:true,“started”:“2021-03-19T23:43:10.697Z”,“timestamp”:“2021-03-19T23:43:10.697Z”,“status”:“ok”,“errors”:0,“duration”:0,“attrs”:{“release”:“v0.0.2”}}’
–compressed

Sentry in our company is self-hosted

mihanizm56 on Mar 22, 2021

How fix it PROJECT -> General -> CLIENT SECURITY -> Verify TLS/SSL Set ENABLED Снимок экрана от 2022-04-25 15-39-11

SlavaPWNZ on Apr 25, 2022

help!

reb00t2018 on Apr 14, 2021

@mihanizm56 I did change it before posting, so no worries.

cawel on Mar 23, 2021

Hey @karna41317 - in your Sentry account, double check these settings:

Project Settings -> General Settings -> Allowed Domains
Project Settings -> Inbound Filters -> Filter out events coming from localhost (if you’re noticing this during local development)

dhruska on Aug 28, 2020

It appears to be the combination of integrations and tracesSampleRate that’s causing CORS issues, disabling either one of those two seems to resolve. Using latest @Sentry/angular: 6.19.7 and @Sentry/tracing 6.19.7

True. Adding config { tracingOrigins: ["*"] } for BrowserTracing solved it for me

Sentry.init({
  dsn: "******************************",
  integrations: [new BrowserTracing({ tracingOrigins: ["*"] })],
  tracesSampleRate: 0.025,
});

thinkdj on Jun 3, 2022

"@sentry/browser": "^6.13.3" + Company self-hosted Sentry 9.1.2 will cause browser CORS error.

Company sentry URL like https://sentry.company.com.

Downgrade @sentry/browser to ^5.30.0 to solve this issue. Don’t know why

mrdulin on Oct 26, 2021

be careful - you are showing your dsn! =)

mihanizm56 on Mar 23, 2021

Hi all,

Regarding the CORS envelop problem. I have SDK 6.2.5 and 9.2.1 self-hosted version.

Here’s another solution I managed to find and envelope request no more sending.

Sentry.init({ autoSessionTracking: false, });

Thanks @vladyc9, I like this solution much better than having to down grade the version of the package. And like BYK said version 9.1.2 of sentry does not support session tracking anyway.

@BYK it would be super cool if a version compatibility matrix existed. Having to spend hours reading through all the closed issues, and changelogs is not user friendly. If we can’t have a matrix then it would be nice if the major version number of the sentry server was aligned with the major version of the client. ¯\_(ツ)_/¯ with the versions not aligned and also not having a matrix it just makes the product feel flakey.

JamesWebDev on Aug 20, 2021

i have same problem in sentry V10,I think it’s not a CORS problem .

I see web container logs show 09:25:58 [WARNING] django.request: Forbidden (CSRF cookie not set.): /api/4/envelope/ (status_code=403 request=<WSGIRequest: POST u'/api/4/envelope/?sentry_key=xxx&sentry_version=7'>) ,then return 403.

Brower not found the CORS header ,so show no CORS header,but not tell you http response code is 403.

@BYK @kamilogorek @karna41317

gj19910723 on Apr 13, 2021

Closing the issue as a part of large repository cleanup, due to it being inactive and/or outdated. Please do not hesitate to ping me if it is still relevant, and I will happily reopen and work on it. Cheers!

kamilogorek on Jan 28, 2021