From 69e5a3b2c72d910914a319ba3ec10066c63159b3 Mon Sep 17 00:00:00 2001
From: Lukas Stracke <lukas.stracke@sentry.io>
Date: Tue, 14 Jan 2025 18:16:31 +0100
Subject: [PATCH 1/3] feat(sveltekit)!: Remove fetch proxy script injection and
 options

---
 packages/sveltekit/src/server/handle.ts       | 41 +++----------------
 packages/sveltekit/test/server/handle.test.ts | 33 ++-------------
 2 files changed, 10 insertions(+), 64 deletions(-)

diff --git a/packages/sveltekit/src/server/handle.ts b/packages/sveltekit/src/server/handle.ts
index 8d5fe21de1c1..5120e2c10244 100644
--- a/packages/sveltekit/src/server/handle.ts
+++ b/packages/sveltekit/src/server/handle.ts
@@ -35,23 +35,6 @@ export type SentryHandleOptions = {
    * @default false
    */
   handleUnknownRoutes?: boolean;
-
-  /**
-   * Controls if `sentryHandle` should inject a script tag into the page that enables instrumentation
-   * of `fetch` calls in `load` functions.
-   *
-   * @default true
-   */
-  injectFetchProxyScript?: boolean;
-
-  /**
-   * If this option is set, the `sentryHandle` handler will add a nonce attribute to the script
-   * tag it injects into the page. This script is used to enable instrumentation of `fetch` calls
-   * in `load` functions.
-   *
-   * Use this if your CSP policy blocks the fetch proxy script injected by `sentryHandle`.
-   */
-  fetchProxyScriptNonce?: string;
 };
 
 /**
@@ -72,23 +55,11 @@ export const FETCH_PROXY_SCRIPT = `
  *
  * Exported only for testing
  */
-export function addSentryCodeToPage(options: SentryHandleOptions): NonNullable<ResolveOptions['transformPageChunk']> {
-  const { fetchProxyScriptNonce, injectFetchProxyScript } = options;
-  // if injectFetchProxyScript is not set, we default to true
-  const shouldInjectScript = injectFetchProxyScript !== false;
-  const nonce = fetchProxyScriptNonce ? `nonce="${fetchProxyScriptNonce}"` : '';
-
-  return ({ html }) => {
-    const metaTags = getTraceMetaTags();
-    const headWithMetaTags = metaTags ? `<head>\n${metaTags}` : '<head>';
-
-    const headWithFetchScript = shouldInjectScript ? `\n<script ${nonce}>${FETCH_PROXY_SCRIPT}</script>` : '';
-
-    const modifiedHead = `${headWithMetaTags}${headWithFetchScript}`;
-
-    return html.replace('<head>', modifiedHead);
-  };
-}
+export const addSentryCodeToPage = (({ html }) => {
+  const metaTags = getTraceMetaTags();
+  const headWithMetaTags = metaTags ? `<head>\n${metaTags}` : '<head>';
+  return html.replace('<head>', headWithMetaTags);
+}) satisfies NonNullable<ResolveOptions['transformPageChunk']>;
 
 /**
  * A SvelteKit handle function that wraps the request for Sentry error and
@@ -174,7 +145,7 @@ async function instrumentHandle(
           normalizedRequest: winterCGRequestToRequestData(event.request.clone()),
         });
         const res = await resolve(event, {
-          transformPageChunk: addSentryCodeToPage(options),
+          transformPageChunk: addSentryCodeToPage,
         });
         if (span) {
           setHttpStatus(span, res.status);
diff --git a/packages/sveltekit/test/server/handle.test.ts b/packages/sveltekit/test/server/handle.test.ts
index c5225124ace3..805c9f656a30 100644
--- a/packages/sveltekit/test/server/handle.test.ts
+++ b/packages/sveltekit/test/server/handle.test.ts
@@ -429,46 +429,21 @@ describe('addSentryCodeToPage', () => {
     </body>
   </html>`;
 
-  it("Adds add meta tags and fetch proxy script if there's no active transaction", () => {
-    const transformPageChunk = addSentryCodeToPage({});
-    const transformed = transformPageChunk({ html, done: true });
+  it("Adds add meta tags if there's no active transaction", () => {
+    const transformed = addSentryCodeToPage({ html, done: true });
 
     expect(transformed).toContain('<meta name="sentry-trace"');
     expect(transformed).toContain('<meta name="baggage"');
     expect(transformed).not.toContain('sentry-transaction=');
-    expect(transformed).toContain(`<script >${FETCH_PROXY_SCRIPT}</script>`);
   });
 
-  it('adds meta tags and the fetch proxy script if there is an active transaction', () => {
-    const transformPageChunk = addSentryCodeToPage({});
+  it('adds meta tags if there is an active transaction', () => {
     SentryNode.startSpan({ name: 'test' }, () => {
-      const transformed = transformPageChunk({ html, done: true }) as string;
+      const transformed = addSentryCodeToPage({ html, done: true });
 
       expect(transformed).toContain('<meta name="sentry-trace"');
       expect(transformed).toContain('<meta name="baggage"');
       expect(transformed).toContain('sentry-transaction=test');
-      expect(transformed).toContain(`<script >${FETCH_PROXY_SCRIPT}</script>`);
     });
   });
-
-  it('adds a nonce attribute to the script if the `fetchProxyScriptNonce` option is specified', () => {
-    const transformPageChunk = addSentryCodeToPage({ fetchProxyScriptNonce: '123abc' });
-    SentryNode.startSpan({ name: 'test' }, () => {
-      const transformed = transformPageChunk({ html, done: true }) as string;
-
-      expect(transformed).toContain('<meta name="sentry-trace"');
-      expect(transformed).toContain('<meta name="baggage"');
-      expect(transformed).toContain('sentry-transaction=test');
-      expect(transformed).toContain(`<script nonce="123abc">${FETCH_PROXY_SCRIPT}</script>`);
-    });
-  });
-
-  it('does not add the fetch proxy script if the `injectFetchProxyScript` option is false', () => {
-    const transformPageChunk = addSentryCodeToPage({ injectFetchProxyScript: false });
-    const transformed = transformPageChunk({ html, done: true }) as string;
-
-    expect(transformed).toContain('<meta name="sentry-trace"');
-    expect(transformed).toContain('<meta name="baggage"');
-    expect(transformed).not.toContain(`<script >${FETCH_PROXY_SCRIPT}</script>`);
-  });
 });

From 682a818ae9c74d77fdeba672e583e1dd04ecaaa3 Mon Sep 17 00:00:00 2001
From: Lukas Stracke <lukas.stracke@sentry.io>
Date: Tue, 14 Jan 2025 18:24:32 +0100
Subject: [PATCH 2/3] add migration note

---
 docs/migration/v8-to-v9.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/migration/v8-to-v9.md b/docs/migration/v8-to-v9.md
index ba1208a4b6a4..e1a3d83615c1 100644
--- a/docs/migration/v8-to-v9.md
+++ b/docs/migration/v8-to-v9.md
@@ -116,6 +116,11 @@ Older Typescript versions _may_ still work, but we will not test them anymore an
 
 - By default, source maps will now be automatically deleted after being uploaded to Sentry for client-side builds. You can opt out of this behavior by explicitly setting `sourcemaps.deleteSourcemapsAfterUpload` to `false` in your Sentry config.
 
+### `@sentry/sveltekit`
+
+- SvelteKit 1 is no longer supported, due to some features missing in the first version of the framework. This allows the SDK to remove some brittle workarounds that were necessary for proper 1.x support.
+- In v8, the Sentry SvelteKit SDK would inject a small `<script>` into your rendered HTML server response to correctly instrument client-side `fetch` calls. This no longer is necessary with SvelteKit 2.x. Therefore, SDK no longer injects this script. Likewise, the `fetchProxyScriptNonce` and `injectFetchProxyScript` were removed from the `sentryHandle` options. Besides removing the removed options if you set them, we recommend reviewing your CSP settings to remove any nonce or hash entries for the no longer injected script.
+
 ### All Meta-Framework SDKs (`@sentry/astro`, `@sentry/nuxt`, `@sentry/solidstart`)
 
 - Updated source map generation to respect the user-provided value of your build config, such as `vite.build.sourcemap`:

From 315ffe35511024474cdaf912a34370aefcaa189e Mon Sep 17 00:00:00 2001
From: Lukas Stracke <lukas.stracke@sentry.io>
Date: Tue, 14 Jan 2025 18:24:41 +0100
Subject: [PATCH 3/3] remove more unused code

---
 packages/sveltekit/src/server/handle.ts       | 12 ------------
 packages/sveltekit/test/server/handle.test.ts |  2 +-
 2 files changed, 1 insertion(+), 13 deletions(-)

diff --git a/packages/sveltekit/src/server/handle.ts b/packages/sveltekit/src/server/handle.ts
index 5120e2c10244..58e9a7586d85 100644
--- a/packages/sveltekit/src/server/handle.ts
+++ b/packages/sveltekit/src/server/handle.ts
@@ -37,17 +37,6 @@ export type SentryHandleOptions = {
   handleUnknownRoutes?: boolean;
 };
 
-/**
- * Exported only for testing
- */
-export const FETCH_PROXY_SCRIPT = `
-    const f = window.fetch;
-    if(f){
-      window._sentryFetchProxy = function(...a){return f(...a)}
-      window.fetch = function(...a){return window._sentryFetchProxy(...a)}
-    }
-`;
-
 /**
  * Adds Sentry tracing <meta> tags to the returned html page.
  * Adds Sentry fetch proxy script to the returned html page if enabled in options.
@@ -79,7 +68,6 @@ export const addSentryCodeToPage = (({ html }) => {
 export function sentryHandle(handlerOptions?: SentryHandleOptions): Handle {
   const options = {
     handleUnknownRoutes: false,
-    injectFetchProxyScript: true,
     ...handlerOptions,
   };
 
diff --git a/packages/sveltekit/test/server/handle.test.ts b/packages/sveltekit/test/server/handle.test.ts
index 805c9f656a30..e4d5ae03d470 100644
--- a/packages/sveltekit/test/server/handle.test.ts
+++ b/packages/sveltekit/test/server/handle.test.ts
@@ -14,7 +14,7 @@ import type { Handle } from '@sveltejs/kit';
 import { redirect } from '@sveltejs/kit';
 import { vi } from 'vitest';
 
-import { FETCH_PROXY_SCRIPT, addSentryCodeToPage, sentryHandle } from '../../src/server/handle';
+import { addSentryCodeToPage, sentryHandle } from '../../src/server/handle';
 import { getDefaultNodeClientOptions } from '../utils';
 
 const mockCaptureException = vi.spyOn(SentryNode, 'captureException').mockImplementation(() => 'xx');