Closed
Description
Is there an existing issue for this?
- I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
- I have reviewed the documentation https://docs.sentry.io/
- I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases
How do you use Sentry?
Sentry Saas (sentry.io)
Which package are you using?
@sentry/ember
SDK Version
6.19.7
Framework Version
No response
Link to Sentry event
No response
Steps to Reproduce
- Install
@ember/sentry - Configure CSP as described in the docs
- Configure the ember sentry addon to sent tracing (e.g.,
sentry.tracesSampleRate = 0.2) - Run the app in production mode
Expected Result
There are no CSP violations originating from sentry code.
Actual Result
There are two unsafe-inline script violations:
Two inline script tags are injected:
<script>if (window.performance && window.performance.mark) {
window.performance.mark('@sentry/ember:initial-load-start');
}
</script>
<script>if (window.performance && window.performance.mark) {
window.performance.mark('@sentry/ember:initial-load-end');
}
</script>
The best solution would be to ensure those code snippets are stable, generate the sha256 hash and publish them as part of the documentation. If those hashes ever change that would be a breaking change and would need to be flagged in release notes.
Another, although much less desirable solution, would be to provide an option to disable page load measurements when tracing is enabled such that those snippets are not injected.