CORS error on sentry.io when logging in


#1

My company is blocking sentry.io after logging in because you guys are using a cdn for javascript assets and not handling the cross origin request properly.

Error in dev tools
Access to Script at s1.sentry-cdn .com/_static/6bab65551b04a1f1a918663f982bb506/sentry/dist/app .js from origin https://sentry.io has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin sentry .io is therefore not allowed access. The response had HTTP status code 403.

Error in UI

Please wait while we load an obnoxious amount of JavaScript.

You may need to disable adblocking extensions to load Sentry.


#2

Hey @RJSchmertz are you able to reliably reproduce? I’m not able to and we haven’t had any other reports of this.

This file also is correctly sending back CORS headers:

$ curl -v https://s1.sentry-cdn.com/_static/6bab65551b04a1f1a918663f982bb506/sentry/dist/app.js 2>&1 | grep -i access-control
< Access-Control-Allow-Origin: *

#3

Today is the first day I’ve noticed (probably haven’t signed in since end of last week). But it’s been consistent today, from multiple computers and browsers. I do know they’ve been increasing/ tightening things on our internal network lately so it’s likely related, but was hoping it was a setting that could be updated, but you’re showing that maybe it already is.


#4

Yeah, if you can reproduce the issue with curl or post some screenshot of your error/debug console, that’d be useful. I’m curious what response you’re getting back that’d trigger this.

It doesn’t seem to me like it’s anything we’re doing on our end.


#5

curl definitely helped expose the deeper issue. It is being blocked by our web filter, it’s falling in the uncategorized/unknown basket and being blocked.

Based on your organization’s access policies, access to this web site
( https://s1.sentry-cdn.com/_static/6bab65551b04a1f1a918663f982bb506/sentry/dist/app.js ) has been blocked because the web category “Uncategorized URLs” is not allowed.

Maybe you guys can look into putting a category on your CDN (I don’t know how that works).


#6

Thank you for your attention and help, it is appreciated.
I’ve submitted a white list request with my IT.


#7

Yeah, this is great to know, but I literally no idea how how we’d do that. I think it’d have to be user generated and sourced. I’m not sure how every company in the world maintains swapping out URLs.

One thing to point out is we did just the other day, swap out a different hostname for this one.

It was previously 75ff019b64fc4358.freetls.fastly.net but we swapped it out for s1.sentry-cdn.com which is just an alias for it, backed by the same service. Just… less sketchy looking. :slight_smile:


#8

Hey @matt, We’re also having a CORS issue trying to include the latest sentry javascript SDK via the CDN url listed in Getting Started. Curl request shows the Access-Control-Allow-Origin header hasn’t been properly set.

Getting Started Ex: <script src="https://js.sentry-cdn.com/___PUBLIC_KEY___.min.js" crossorigin="anonymous"></script>

curl --head https://js.sentry-cdn.com/_PUBLIC_KEY_.min.js | \
grep -i "access-control-allow-origin"

Returns nothing. For context, jquery returns Access-Control-Allow-Origin : *

curl --head https://ajax.googleapis.com/ajax/libs/jquery/2.2.0/jquery.js | \
grep -i "access-control-allow-origin"

#9

Hey @matt. I’m also facing CORS issue.
Error is :
Access to Script at ‘https://js.sentry-cdn.com/cb1e2d8d256b4c24989e0bf5c2255a7b.min.js’ from origin ‘https://test.myjobs.com.mm’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘test.myjobs.com.mm’ is therefore not allowed access.


#10

Hey @matt

I’m facing exactly the same problem as nirmalbaldaniya-drea and @JessicaGillan.

curl --head https://js.sentry-cdn.com/__MY_PUBLIC_KEY__.min.js

returns me:

HTTP/2 200
content-type: text/javascript
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
cache-control: public, max-age=30, s-maxage=60, stale-while-revalidate=315360000, stale-if-error=315360000
x-frame-options: deny
accept-ranges: bytes
date: Thu, 20 Sep 2018 11:49:18 GMT
age: 12
x-served-by: web-b378b859, cache-ord1746-ORD, cache-fra19148-FRA
vary: Accept-Encoding
strict-transport-security: max-age=31536000; includeSubDomains
content-length: 1606

Looks like access-control-allow-origin: * is missing.

I also tried to put the content from https://js.sentry-cdn.com/__MY_PUBLIC_KEY__.min.js as inline JS in my HTML but then I got JS error: https://front-code.pl/sc/2018-09-20_13-56-03.png.


Temporary I think, because of these problems I moved to the old way of loading and configuring SDK:

<script src="https://cdn.ravenjs.com/3.14.0/raven.min.js"></script>
<script type="text/javascript">
    Raven.config('https://__MY_PUBLIC_KEY__@sentry.io/__MY_PROJECT_KEY__').install()
</script>

The URL for Raven.config you can find in the script from CDN passed as dsn value: "dsn":"https://__MY_PUBLIC_KEY__@sentry.io/__MY_PROJECT_KEY__"


#11

We have the same issue


#12

Hi,

First I want to apologize for this happening. We pushed out the new SDKs yesterday and part of that promoted the CDN loader for new customers in the documentation. However unfortunately the CDN loader was served up with the incorrect access control headers and as such refused to load when the crossorigin attribute was set to anonymous.

I’m still trying to find out why we missed it but our own usage did not show this as an issue as we were using it from the same domain ourselves. We should have vetted this better.

For now we pointed the documentation for new users to use the underlying javascript SDK and we will put the docs back to the loader when we properly verified that there are no lingering issues we overlooked.

In addition the loader is now fixed for users who are already using it as new headers are emitted. This issue should not occur any more.

Please accept my sincere apologies for this issue. This was not professionally handled and should not have happened. If you have any questions about this feel free to reach out to armin@sentry.io with questions.

Regards,
Armin