I can’t find a list of directives that need to be added to my content security policy to use sentry.io with raven.js. So far I’ve only got https://cdn.ravejs.com, but is there anything else that’s required for full operation of Sentry?
For example, both Fullstory and Intercom provide a list of the required directives:
https://www.intercom.com/help/configure-intercom-for-your-product-or-site/staying-secure/using-intercom-with-content-security-policy
Hi @ndench, you will need to add script-src: https://cdn.ravenjs.com (or wherever you’re loading the script from) and the domain present in your configured DSN (connect-src: https://sentry.io).
PR here: https://github.com/getsentry/sentry-javascript/pull/1476
That’s perfect, thanks!
Hey @untitaker
Just as a followup:
Is it safe to whitelist the whole of sentry.io? Would it make more sense to whitelist each project url instead? Would it be possible for someone to hijack a client, update their sentry reporting endpoint to their own, and then receive error data, which could possibly contain sensitive user data?
I’m also not sure if the above PR docs exist anywhere currently.
I Googled a string from the PR and couldn’t see any good results.
Thanks,
Finlay
We need support for this as well. We’re unable to use Sentry.io in the context of a Twitch extension since they don’t allow wildcard public whitelists.