Pick better defaults for tracePropagationTargets #9764
Description
The current defaults for tracePropagationTargets (['localhost', /^\/(?!\/)/]) run into a few problems:
- If you do a fetch request to the same origin domain without using a short version (i.e.
fetch("https://mysameorigin.com/api/some-route")instead offetch("/api/some-route")) we will currently not attach tracing headers by default. - If you use localhost with subdomains (e.g.
http://cdn.localhost/resource) we will add tracing headers which may trigger CORS even for localhost. - Currently, we don't attach tracing headers to requests like
fetch("//sameorigin.com/")while it would be valid to do so ifsameorigin.comis actually the same origin.
Proposal
- We need to be stricter on the localhost validation, e.g.
/^(https?|ws):\/\/localhost// - We need to add a matcher for when the origin is provided and it is the same origin as the current page, e.g.
new RegExp(`^${window.location.origin}\/`) - (Requirement: No longer support IE11) When a URL starts with a
/, e.g.//external-origin.com/, we throw it into the URL constructor as follows and use the resulting origin as the base for matching against items intracePropagationTargets:new URL(target, window.location.origin). That way, we are matching the actual resolved (including the protocol) against our definedtracePropagationTargetsand it will work well with our predefined defaults. Maybe there is a case to be made to generally throw the target in the URL constructor before comparing against anything.