Skip to content

@ember/sentry generates inline script tags that break a secure Content-Security-Policy (CSP) #4995

Closed
@Ramblurr

Description

@Ramblurr

Is there an existing issue for this?

How do you use Sentry?

Sentry Saas (sentry.io)

Which package are you using?

@sentry/ember

SDK Version

6.19.7

Framework Version

No response

Link to Sentry event

No response

Steps to Reproduce

  1. Install @ember/sentry
  2. Configure CSP as described in the docs
  3. Configure the ember sentry addon to sent tracing (e.g., sentry.tracesSampleRate = 0.2)
  4. Run the app in production mode

Expected Result

There are no CSP violations originating from sentry code.

Actual Result

There are two unsafe-inline script violations:

Two inline script tags are injected:

<script>if (window.performance && window.performance.mark) {
  window.performance.mark('@sentry/ember:initial-load-start');
}
</script>
<script>if (window.performance && window.performance.mark) {
  window.performance.mark('@sentry/ember:initial-load-end');
}
</script>

The best solution would be to ensure those code snippets are stable, generate the sha256 hash and publish them as part of the documentation. If those hashes ever change that would be a breaking change and would need to be flagged in release notes.

Another, although much less desirable solution, would be to provide an option to disable page load measurements when tracing is enabled such that those snippets are not injected.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Package: emberIssues related to the Sentry Ember SDK

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions