Skip to content

feat: Update default trace propagation targets logic in the browser #10621

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Feb 15, 2024
Merged

feat: Update default trace propagation targets logic in the browser #10621

merged 9 commits into from
Feb 15, 2024

Conversation

lforst
Copy link
Contributor

@lforst lforst commented Feb 12, 2024
edited
Loading

Before this change, the default behaviour to which requests we added tracing headers when tracePropagationTargets were not defined was flawed:

  • Same-origin requests that included the full URL (e.g. fetch("http://my-same-origin/api")) were not getting traced.
  • Cross-origin requests to a localhost domain (e.g. fetch("http://api.localhost/posts")) were getting trace headers attached and causing CORS errors.

We solve this by attaching tracing headers to all same-origin requests when tracePropagationTargets is not defined.

Apart from that, our matching logic was not powerful enough:

  • Our matcher always took the literal string that was passed to fetch and xhr as a comparator. E.g. When doing fetch("/api"), we only matched tracePropagationTargets against "/api" and not against the full URL. This makes it very hard to properly trace requests done by 3rd party libraries where you may not know whether they send the requests to "/api" or "${window.location.origin}/api".

We aim to solve this by always comparing the provided tracePropagationTargets against the full URL to which the request is sent, and to preserve a certain degree of backwards compatibility, if users defined a relative matcher like /^\/api/, we also compare the defined tracePropagationTargets against the pathame (in the technical sense), iff the request is a same-origin request. (The last part is important because we don't want to hand people a footgun to run into CORS errors.)

Resolves #9764

@lforst lforst changed the base branch from develop to lforst-remove-tracing-origins February 12, 2024 16:11
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 13, 2024
edited
Loading

size-limit report 📦

Path Size
@sentry/browser (incl. Tracing, Replay, Feedback) - Webpack (gzipped) 77.88 KB (+0.08% 🔺)
@sentry/browser (incl. Tracing, Replay) - Webpack (gzipped) 69.11 KB (+0.08% 🔺)
@sentry/browser (incl. Tracing, Replay with Canvas) - Webpack (gzipped) 73.04 KB (+0.08% 🔺)
@sentry/browser (incl. Tracing, Replay) - Webpack with treeshaking flags (gzipped) 62.73 KB (+0.09% 🔺)
@sentry/browser (incl. Tracing) - Webpack (gzipped) 33.3 KB (+0.17% 🔺)
@sentry/browser (incl. browserTracingIntegration) - Webpack (gzipped) 33.21 KB (+0.15% 🔺)
@sentry/browser (incl. Feedback) - Webpack (gzipped) 31.16 KB (0%)
@sentry/browser (incl. sendFeedback) - Webpack (gzipped) 31.16 KB (0%)
@sentry/browser - Webpack (gzipped) 22.43 KB (0%)
@sentry/browser (incl. Tracing, Replay, Feedback) - ES6 CDN Bundle (gzipped) 76.17 KB (+0.08% 🔺)
@sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (gzipped) 67.68 KB (+0.07% 🔺)
@sentry/browser (incl. Tracing) - ES6 CDN Bundle (gzipped) 33.65 KB (+0.16% 🔺)
@sentry/browser - ES6 CDN Bundle (gzipped) 24.71 KB (0%)
@sentry/browser (incl. Tracing, Replay) - ES6 CDN Bundle (minified & uncompressed) 213.03 KB (+0.08% 🔺)
@sentry/browser (incl. Tracing) - ES6 CDN Bundle (minified & uncompressed) 101.65 KB (+0.16% 🔺)
@sentry/browser - ES6 CDN Bundle (minified & uncompressed) 74.01 KB (0%)
@sentry/browser (incl. Tracing) - ES5 CDN Bundle (gzipped) 36.89 KB (+0.18% 🔺)
@sentry/react (incl. Tracing, Replay) - Webpack (gzipped) 69.48 KB (+0.07% 🔺)
@sentry/react - Webpack (gzipped) 22.45 KB (0%)
@sentry/nextjs Client (incl. Tracing, Replay) - Webpack (gzipped) 86.94 KB (-0.3% 🔽)
@sentry/nextjs Client - Webpack (gzipped) 50.11 KB (-0.51% 🔽)
@sentry-internal/feedback - Webpack (gzipped) 17.12 KB (0%)

@lforst lforst changed the title feat: Update default trace propagation targets logic feat: Update default trace propagation targets logic in the browser Feb 13, 2024
Base automatically changed from lforst-remove-tracing-origins to develop February 13, 2024 10:53
@lforst lforst force-pushed the lforst-default-trace-prop-targets branch from 33ecd22 to cfca488 Compare February 13, 2024 11:13
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 13, 2024
View reviewed changes
packages/tracing-internal/test/browser/request.test.ts
['https://not-my-origin.com/api', /api/, true],

['/api', /^\/api/, true], // matches pathname
['/api', /\/\/my-origin\.com\/api/, true], // matches full url

Check failure

Code scanning / CodeQL

Missing regular expression anchor

When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it.
packages/tracing-internal/test/browser/request.test.ts
['/api', /\/\/my-origin\.com\/api/, true], // matches full url
['foobar', /\/foobar/, true], // matches full url
['foobar', /^\/api\/foobar/, true], // full url match
['some-url.com', /\/some-url\.com/, true],

Check failure

Code scanning / CodeQL

Missing regular expression anchor

When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it.
packages/tracing-internal/test/browser/request.test.ts
['foobar', /\/foobar/, true], // matches full url
['foobar', /^\/api\/foobar/, true], // full url match
['some-url.com', /\/some-url\.com/, true],
['some-url.com', /^\/some-url\.com/, false], // does not match pathname or full url

Check failure

Code scanning / CodeQL

Missing regular expression anchor

This hostname pattern may match any domain name, as it is missing a '$' or '/' at the end.
packages/tracing-internal/test/browser/request.test.ts
['foobar', /^\/api\/foobar/, true], // full url match
['some-url.com', /\/some-url\.com/, true],
['some-url.com', /^\/some-url\.com/, false], // does not match pathname or full url
['some-url.com', /^\/api\/some-url\.com/, true], // matches pathname

Check failure

Code scanning / CodeQL

Missing regular expression anchor

This hostname pattern may match any domain name, as it is missing a '$' or '/' at the end.
packages/tracing-internal/test/browser/request.test.ts
['https://not-my-origin.com/api', /api/, true],

['/api', /^\/api/, true],
['/api', /\/\/my-origin\.com\/api/, false],

Check failure

Code scanning / CodeQL

Missing regular expression anchor

When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it.
packages/tracing-internal/test/browser/request.test.ts
['/api', /\/\/my-origin\.com\/api/, false],
['foobar', /\/foobar/, false],
['foobar', /^\/api\/foobar/, false],
['some-url.com', /\/some-url\.com/, false],

Check failure

Code scanning / CodeQL

Missing regular expression anchor

When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it.
packages/tracing-internal/test/browser/request.test.ts
['foobar', /\/foobar/, false],
['foobar', /^\/api\/foobar/, false],
['some-url.com', /\/some-url\.com/, false],
['some-url.com', /^\/some-url\.com/, false],

Check failure

Code scanning / CodeQL

Missing regular expression anchor

This hostname pattern may match any domain name, as it is missing a '$' or '/' at the end.
packages/tracing-internal/test/browser/request.test.ts
['foobar', /^\/api\/foobar/, false],
['some-url.com', /\/some-url\.com/, false],
['some-url.com', /^\/some-url\.com/, false],
['some-url.com', /^\/api\/some-url\.com/, false],

Check failure

Code scanning / CodeQL

Missing regular expression anchor

This hostname pattern may match any domain name, as it is missing a '$' or '/' at the end.
@lforst lforst marked this pull request as ready for review February 13, 2024 15:46
AbhiPrasad
AbhiPrasad approved these changes Feb 13, 2024
View reviewed changes
Copy link
Member

@AbhiPrasad AbhiPrasad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I like this, feels super understandable as well instead of this default regex which is slightly confusing.

Lms24
Lms24 approved these changes Feb 13, 2024
View reviewed changes
Copy link
Member

@Lms24 Lms24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great change - Good job!

@lforst lforst enabled auto-merge (squash) February 15, 2024 14:50
@lforst lforst merged commit b420f19 into develop Feb 15, 2024
@lforst lforst deleted the lforst-default-trace-prop-targets branch February 15, 2024 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Lms24 Lms24 Lms24 approved these changes

@AbhiPrasad AbhiPrasad AbhiPrasad approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Pick better defaults for tracePropagationTargets
3 participants
@lforst @Lms24 @AbhiPrasad