Use Raven-js coupled to sentry in phoneGap app

[Freyskeyd]

Hi,

I'm trying to use sentry with raven-js on a phoneGap project.
I've a little problem...it's about URL security.

In sentry for raven-js i need to define some URL to protect my server.
But, in phoneGap i've no URL on my app. So, sentry doesn't listen to my app.

How can i solve it?
Any modification is possible to allow all URL for a define project?

Thank's!

[dcramer]

In the sentry server you currently cant configure global origins per-project, but if you run the server you can configure the global value.

I believe the setting is::

SENTRY_ALLOW_ORIGIN = '*'

[Freyskeyd]

Okey, i'm gonna try tomorrow.
That's can be interesting to get issue report on android/ios app.

thank's

[dcramer]

Feel free to reopen this if there are any problems related to this.

(We could probably update the documentation to be more clear)

[Shyru]

I just tried doing the same thing with the current raven version (1.1) but had no luck.
I always got the an HTTP error 400 with "Missing required attribute in authentication header". The missing attribute is sentry_secret.
(BTW, we are using the hosted sentry and I configured the client security with *.
When loading the phonegap page in a browser a test event was correctly transmitted to sentry so generally this seems to work.
I think the problem is that when the image is loaded from the phonegap page, no referrer is given. This probably causes the sentry server to switch to a mode where the sentry_secret must be transmitted and no referrer check is done.
So I tried adding the secret key to the dsn, but then raven-js triggered an error because this is discouraged. (I think because sentry is mostly used in public websites).

I then modified my version of raven.js and added this line after 1495:
qs.push('sentry_secret=<my_secret>');

After retrying with this in place it worked successfully.
So how should we go on about implementing this correctly in sentry-js? We could add an additional method that allows to set the secret and document that this should only be used on non-public websites or inside phonegap or something similar. Or we could modify the config() method to only throw the mentioned exception if the code is executed in a browser and not inside phonegap. Then one could specify the secret in the dsn as normally.

I would be glad to implement whatever solution you deem fit. Just say what would be best, and I would fork and make a pull-request.
Thanks for looking into this!

[mattrobenolt]

@Shyru Does PhoneGap not sending a Referer or Origin header when making a request? At the moment, that's used for validation instead of the secret key.

[Shyru]

@mattrobenolt No, phonegap does not send a referer. I checked this with safari's webinspector. I think it is the normal browser behavior to not send referrers when files are loaded from the filesystem with file://-urls. After all, which referer should they send?

[julien-duponchelle]

I have the same issue, we want to use it with cordova but due to fact cordova use file:// url it's not allowed

[abuzzell]

Same problem here, although, oddly, IOS Cordova works, but Android does not.

[kof]

same here ... why isn't this resolved? Its actually pretty trivial to fix on the client by enabling optionally pass the host instead of going over location.href ...

[kof]

hmm wrong, its using origin from headers sent by the browser ....

[kof]

anyways this should be resolved somehow.

[kof]

huh it seems like * works already on sentry server, sorry for bugging you.

[TrevTheDev]

I have the same issue and SENTRY_ALLOW_ORIGIN = '*' is not working for me.

[kof]

I asssume you do in in the wrong place

You need to go to the ui, project settings and put * into client security textarea

[kof]

this is server side configuration.

[TrevTheDev]

@kof thanks! that resolved my issue.

[Madumo]

Hi,

As you can see, I configured the allowed domains to * on the server (this is a self hosted sentry server):

Then, just to try it, I set it up in the debug console of safari, running my cordova project on the iOS simulator, and I still get the same error as above:

And here is the network request informations, you can see the "X-Sentry-Error Missing required attribute in authentication header: sentry_secret"

Am i doing something wrong? :(
Thanks!

[mattrobenolt]

What version of Sentry are you running?

[Madumo]

Sentry 6.4.4

[mattrobenolt]

@Madumo I'm going to look into this on the Sentry side. I think the code path is rejecting if there isn't a Origin or Referer header at all. I'll poke at this tonight and see what the issue is.

[Madumo]

@mattrobenolt Hi, I would just like to know if you have any update on that bug. Did you find something? Was it what you thought?

[mattrobenolt]

Sorry, I haven't had a chance to look into it yet. 😦

[michal-filip]

I too have the same issue when using phonegap. Adding API key to application is detected and prevented in the raven library - so far I see no easy workaround.

[henry74]

Is this resolved?

[dcramer]

Bumping this up as this came up today.

I think to support this we have to accept input from raven.js that uses a secret key.

[dcramer]

Actually I could be wrong. I need to confirm that '*' in the origins field doesn't allow this to work. Either way, keeping this ticket open at the very least to document how to do it.

[mattrobenolt]

Is this fixed with XHR+CORS in 2.0?

It seems like it would be, but we don't test explicitly against PhoneGap, so I'm not 100% sure.

Please reopen if this is still an issue and we can try to address.

[d0b1010r]

Tested it in Cordova/Phonegap: Works.
Does not work from file:// in normal browser