Skip to content

fix(tracing-internal): Avoid classifying protocol-relative URLs as same-origin urls #8114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 15, 2023
Merged

fix(tracing-internal): Avoid classifying protocol-relative URLs as same-origin urls #8114

merged 3 commits into from
May 15, 2023

Conversation

@Lms24
Copy link
Member

@Lms24 Lms24 commented May 14, 2023
edited
Loading

Bored at the airport (4h delay) lol

To fix #8099, we need to adjust our tracePropagationTargets default regex to account for protocol-relative URLs. These were previously classified as same-origin, relative URLs, causing tracing headers to be attached which in turn potentially caused CORS errors for users.

closes #8099

@github-actions
Copy link
Contributor

github-actions bot commented May 14, 2023
edited
Loading

size-limit report 📦

Path Size
@sentry/browser - ES5 CDN Bundle (gzipped + minified) 21.03 KB (+0.03% 🔺)
@sentry/browser - ES5 CDN Bundle (minified) 65.63 KB (+0.02% 🔺)
@sentry/browser - ES6 CDN Bundle (gzipped + minified) 19.57 KB (+0.04% 🔺)
@sentry/browser - ES6 CDN Bundle (minified) 58.09 KB (+0.02% 🔺)
@sentry/browser - Webpack (gzipped + minified) 21.17 KB (0%)
@sentry/browser - Webpack (minified) 69.04 KB (0%)
@sentry/react - Webpack (gzipped + minified) 21.19 KB (0%)
@sentry/nextjs Client - Webpack (gzipped + minified) 49.12 KB (+0.01% 🔺)
@sentry/browser + @sentry/tracing - ES5 CDN Bundle (gzipped + minified) 28.65 KB (+0.04% 🔺)
@sentry/browser + @sentry/tracing - ES6 CDN Bundle (gzipped + minified) 26.89 KB (+0.04% 🔺)
@sentry/replay ES6 CDN Bundle (gzipped + minified) 47.7 KB (+0.19% 🔺)
@sentry/replay - Webpack (gzipped + minified) 41.57 KB (+0.25% 🔺)
@sentry/browser + @sentry/tracing + @sentry/replay - ES6 CDN Bundle (gzipped + minified) 66.6 KB (+0.14% 🔺)
@sentry/browser + @sentry/replay - ES6 CDN Bundle (gzipped + minified) 59.48 KB (+0.16% 🔺)

@Lms24 Lms24 changed the title fix(tracing-internal): Avoid classifying protocol-relative URLs as a relative url fix(tracing-internal): Avoid classifying protocol-relative URLs as same-origin urls May 14, 2023
@Lms24 Lms24 requested review from a team, AbhiPrasad, lforst and mydea and removed request for a team and mydea May 15, 2023 08:22
lforst
lforst approved these changes May 15, 2023
View reviewed changes
Copy link
Contributor

@lforst lforst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very interesting

@gongpeione
Copy link

gongpeione commented May 15, 2023
edited
Loading

In my opinion, using /^\/(?!\\/)/ would be more appropriate? since there may be requests like fetch('/') with a very small probability.

image

@Lms24
Copy link
Member Author

Lms24 commented May 15, 2023

Good catch, thanks @gongpeione!

@Lms24 Lms24 merged commit 4c42bd5 into develop May 15, 2023
@Lms24 Lms24 deleted the lms/fix-protol-relative-urls branch May 15, 2023 10:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AbhiPrasad AbhiPrasad AbhiPrasad approved these changes

+1 more reviewer

@lforst lforst lforst approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Tracing headers are attached to protocol-relative URLs by default, causing CORS errors

5 participants

@Lms24 @gongpeione @lforst @AbhiPrasad