sentry-javascript
sentry-javascript copied to clipboard
getsentry
Errors from user executed code is showing up in Sentry
Is there an existing issue for this?
- [X] I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
- [X] I have reviewed the documentation https://docs.sentry.io/
- [X] I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases
How do you use Sentry?
Self-hosted/on-premise
Which SDK are you using?
@sentry/react
SDK Version
7.80.0
Framework Version
React ^18.2.0
Link to Sentry event
No response
SDK Setup
Believe this is related to the settings in Sentry itself?
sentryReactRouterV6Init({
"initialScope": {
"tags": {}
},
"integrations": [
{
"name": "BrowserTracing",
"_hasSetTracePropagationTargets": true,
"options": {
"idleTimeout": 1000,
"finalTimeout": 30000,
"heartbeatInterval": 5000,
"markBackgroundTransactions": true,
"startTransactionOnLocationChange": true,
"startTransactionOnPageLoad": true,
"enableLongTask": true,
"_experiments": {},
"traceFetch": true,
"traceXHR": true,
"enableHTTPTimings": true,
"tracingOrigins": [
"localhost",
{}
],
"tracePropagationTargets": [
"localhost",
{}
]
}
}
],
"sampleRate": 1,
"tracesSampleRate": 1,
"enabled": false,
"enableTracing": false,
"environment": "local",
"debug": false
});
I have tried enabling the following incoming data filters
- Filter out errors known to be caused by browser extensions
- Filter out events coming from localhost
- Filter out known web crawlers
- Filter out hydration errors
- Filter out ChunkLoadError(s)
- Error Message: have tried various things here and nothing has worked, examples below
*:(type=error) captured as promise rejection onunhandledrejection:* *:onunhandledrejection <unknown>:* *:<unknown> Event:* *:Event
Steps to Reproduce
In a website running Sentry, open the console and paste the following snippet
let src = new Error({foo: 'bar'}); new Promise((resolve, reject) => {
const script = document.createElement('script');
script.src = src;
script.onload = resolve;
script.onerror = reject;
document.body.appendChild(script);
});
We have CSP Headers enabled so we see the following output
Refused to load the script 'error: [object Object]' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Uncaught (in promise) Event {isTrusted: true, __sentry_captured__: true, type: 'error', target: script, currentTarget: null, …}
An issue is then created in Sentry with the following:
Event
Event Event (type=error) captured as promise rejection
mechanism onunhandledrejection
handled false
Additional Data
| __serialized__ | { currentTarget: [object Null], isTrusted: True, target: body > script, type: error} |
|---|
Expected Result
Filtering Error Message causes issue to not be created
Actual Result
Issue is created
Hi, there was a Chrome but some time ago that reported errors from the dev tools console to the global onerror causing them to be reported. They fixed it but maybe it made a comeback. We couldn't come up with a way to filter those.
However, in this case, I believe what happens is that you're indirectly triggering window.onerror which causes an error to be reported. I also don't think there is a way to detect these to filter them out without having false positives and potentially not reporting important errors (very bad!).
If you have any ideas feel free to point them out here :) Otherwise, I would close this issue to keep our inbox clean.
So my thinking was that if the CSP headers are successfully blocking the script execution there would be a way to combine that fact with Sentry's logic to prevent the errors from blocked scripts from reporting. I am not sure if that is at all feasible.
This issue is not isolated to Chrome FWIW, it also happens if I trigger the event from Firefox.
I honestly can't think of a way to associate the two from just JS. We have CSP reporting but I don't think you can detect CSP issues with JS (?). Feel free to correct me here.
In any case, unless there is an easy way to do this we will probably not tackle it anytime soon. PRs are always welcome though!
This issue has gone three weeks without activity. In another week, I will close it.
But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!
"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀
![getsantry[bot] avatar](https://avatars.githubusercontent.com/in/66573?v=4 "Published by a pub.dev verified publisher"){kind=small}
I was hoping the CSP headers logic could somehow be associated on the backend to link the two, but I am just guessing without a deep understanding of how the CSP reporting works or if this is completely illogical
This issue has gone three weeks without activity. In another week, I will close it.
But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!
"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀
We're also seeing
"<unknown> Event `Event` (type=error) captured as promise rejection"
errors with no stack trace either, which is hard to pin down what is going on. This is also weirdly our top error.
@bitttttten this can happen if you throw a non-error (like an Event in this case) object inside an async context so that it bubbles up as unhandled promise rejection. The SDK cannot determine where the event was thrown from, because it lacks a stacktrace.
This is our top error at the moment, can't find a scenario to reproduce it either. It's a bit hard to track down.
@lforst Is it possible to opt into like more verbose tracing or something? So at least we can find out where the non-error value comes from?
@bitttttten you could try adding logging statements to your code or Sentry.addBreadcrumb() to figure out what is going on before such events are used to reject. Unfortunately this is not something we can do automatically for you since dangling promise rejections are basically completely detached from any other application flow.
Found this issue while searching for answers.
In my case it appears the culprit is the "PayPal Honey for Safari"
