-
-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reporting-API (Reporting-Endpoints) support #38940
Comments
CC @bhollis |
Hey! We do support the Reporting API via ReportingObservers, but the headers sounds super interesting. We already support a variety of headers for security reporting, and I think it would be good for us to support This requires changes to the Sentry product and Relay (our event ingestion system) - so I'll transfer this GH issue to that repo! |
Routing to @getsentry/ingest for triage. ⏲️ |
Thanks @bkotsopoulossc for reporting this! This does sound like something Sentry will support eventually. We will discuss it internally and get back to you. |
That is awesome! I didn’t even realize the JS API existed. The main value I see with the header based API is for crashes. I imagine that if a browser tab crashes, it would be challenging for the browser to fire the report to a URL registered through JS. Even though the docs for the JS one mention supporting crashes, they say “and crash (although this last type usually isn't retrievable via a ReportingObserver”. Does that line up with what you’d expect as well? |
Yup, crashes are probably the most useful thing we'd get here if we instrument this - it'll unlock a whole category of issues that previously weren't visible because we rely on JS to be running on the page. For others who are following along, you can do this yourself while you wait for Sentry to build out a 1st class solution. You would:
So you would try mapping the report API format -> a Sentry event, and then sending that Sentry event to Sentry! |
I love that idea! We were thinking of building a custom UI to view these events that we infest on our server but sending right back to our sentry project sounds way better! |
Alright some additional context when we eventually take this on. We probably want to skip out on using There is also Network Error Logging, which isn't supported by
We can just wait till that new mechanism is decided and use that! Some internal links for Sentry folks - sorry open source people this has Sentry Saas customer info so we can't share them publicly. https://getsentry.atlassian.net/browse/FEEDBACK-251 - feedback ticket about https://sentry.zendesk.com/agent/tickets/15696 - |
Looks like @danielkhan is out of office. @AbhiPrasad or @smeubank, would either of you be able to answer the question? |
This is a little unowned right now, but we can figure that out.
@guidobouman do you mind describing this workaround and what you are doing with the lambda? How is that related to the reporting API? |
I am assigning this to me for now. Let's clarify the Lambda use case as @AbhiPrasad suggested. I will discuss this with @smeubank. |
As the Reporting API is not yet supported with the ingestion endpoints, we've created our own minimal endpoint in which we receive the reports and manually send that into Sentry as a workaround. It's not a bug, just a feature request, so we don't have to maintain our own custom reporting endpoint. |
Basically we've implemented the workaround from @AbhiPrasad's message:
One minor problem we run into is the origin of those events. |
We've managed to impersonate the other project from our service, and can now send events into sentry on behalf of another project. Still, it's a manual proxy implementation, and would prefer to actually use the Sentry reporting endpoint when possible. |
It's worth noting that Chrome can now include stack traces with unresponsive crashes via an origin trial. https://docs.google.com/document/d/19DpvHIiYbmB9wgIP0BdI4vOnfVLcAZFmfIAml7SqRQA/ |
I just had a look at the Relay code and the existing CSP endpoint "just" converts the CSP reports into envelopes: https://github.com/getsentry/relay/blob/fa1b2540b5003e3eb7ccac5d1150950f6661fbbe/relay-server/src/endpoints/security_report.rs This could be added in a few steps:
For the other types of reports, |
Problem Statement
Chrome 96 supports a new reporting API for CSP violations and other bad things. Is Sentry considering supporting this? Having a way to ingest and display these reports?
https://web.dev/reporting-api/
Solution Brainstorm
This could be similar to how sentry supports the
report-uri
directive, with thesentry.io/api/security/
endpointThe text was updated successfully, but these errors were encountered: