Skip to content

Use Raven-js coupled to sentry in phoneGap app #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Freyskeyd opened this issue Oct 24, 2012 · 28 comments
Closed

Use Raven-js coupled to sentry in phoneGap app #29

Freyskeyd opened this issue Oct 24, 2012 · 28 comments

Comments

@Freyskeyd
Copy link

Hi,

I'm trying to use sentry with raven-js on a phoneGap project.
I've a little problem...it's about URL security.

In sentry for raven-js i need to define some URL to protect my server.
But, in phoneGap i've no URL on my app. So, sentry doesn't listen to my app.

How can i solve it?
Any modification is possible to allow all URL for a define project?

Thank's!

@dcramer
Copy link
Member

dcramer commented Oct 24, 2012

In the sentry server you currently cant configure global origins per-project, but if you run the server you can configure the global value.

I believe the setting is::

SENTRY_ALLOW_ORIGIN = '*'

@Freyskeyd
Copy link
Author

Okey, i'm gonna try tomorrow.
That's can be interesting to get issue report on android/ios app.

thank's

@dcramer
Copy link
Member

dcramer commented Nov 2, 2012

Feel free to reopen this if there are any problems related to this.

(We could probably update the documentation to be more clear)

@dcramer dcramer closed this as completed Nov 25, 2012
@Shyru
Copy link

Shyru commented Dec 12, 2013

I just tried doing the same thing with the current raven version (1.1) but had no luck.
I always got the an HTTP error 400 with "Missing required attribute in authentication header". The missing attribute is sentry_secret.
(BTW, we are using the hosted sentry and I configured the client security with *.
When loading the phonegap page in a browser a test event was correctly transmitted to sentry so generally this seems to work.
I think the problem is that when the image is loaded from the phonegap page, no referrer is given. This probably causes the sentry server to switch to a mode where the sentry_secret must be transmitted and no referrer check is done.
So I tried adding the secret key to the dsn, but then raven-js triggered an error because this is discouraged. (I think because sentry is mostly used in public websites).

I then modified my version of raven.js and added this line after 1495:
qs.push('sentry_secret=<my_secret>');

After retrying with this in place it worked successfully.
So how should we go on about implementing this correctly in sentry-js? We could add an additional method that allows to set the secret and document that this should only be used on non-public websites or inside phonegap or something similar. Or we could modify the config() method to only throw the mentioned exception if the code is executed in a browser and not inside phonegap. Then one could specify the secret in the dsn as normally.

I would be glad to implement whatever solution you deem fit. Just say what would be best, and I would fork and make a pull-request.
Thanks for looking into this!

@mattrobenolt
Copy link
Contributor

@Shyru Does PhoneGap not sending a Referer or Origin header when making a request? At the moment, that's used for validation instead of the secret key.

@Shyru
Copy link

Shyru commented Dec 13, 2013

@mattrobenolt No, phonegap does not send a referer. I checked this with safari's webinspector. I think it is the normal browser behavior to not send referrers when files are loaded from the filesystem with file://-urls. After all, which referer should they send?

@julien-duponchelle
Copy link

I have the same issue, we want to use it with cordova but due to fact cordova use file:// url it's not allowed

@abuzzell
Copy link

Same problem here, although, oddly, IOS Cordova works, but Android does not.

@kof
Copy link

kof commented Jul 3, 2014

same here ... why isn't this resolved? Its actually pretty trivial to fix on the client by enabling optionally pass the host instead of going over location.href ...

@kof
Copy link

kof commented Jul 3, 2014

hmm wrong, its using origin from headers sent by the browser ....

@kof
Copy link

kof commented Jul 3, 2014

anyways this should be resolved somehow.

@kof
Copy link

kof commented Jul 3, 2014

huh it seems like * works already on sentry server, sorry for bugging you.

@TrevTheDev
Copy link

I have the same issue and SENTRY_ALLOW_ORIGIN = '*' is not working for me.

@kof
Copy link

kof commented Jul 17, 2014

I asssume you do in in the wrong place

You need to go to the ui, project settings and put * into client security textarea

@kof
Copy link

kof commented Jul 17, 2014

this is server side configuration.

@TrevTheDev
Copy link

@kof thanks! that resolved my issue.

@Madumo
Copy link
Contributor

Madumo commented Aug 20, 2014

Hi,

As you can see, I configured the allowed domains to * on the server (this is a self hosted sentry server):
screen shot 2014-08-20 at 16 27 38

Then, just to try it, I set it up in the debug console of safari, running my cordova project on the iOS simulator, and I still get the same error as above:
screen shot 2014-08-20 at 16 32 42

And here is the network request informations, you can see the "X-Sentry-Error Missing required attribute in authentication header: sentry_secret"

screen shot 2014-08-20 at 16 34 57

Am i doing something wrong? :(
Thanks!

@mattrobenolt
Copy link
Contributor

What version of Sentry are you running?

@Madumo
Copy link
Contributor

Madumo commented Aug 21, 2014

Sentry 6.4.4

@mattrobenolt
Copy link
Contributor

@Madumo I'm going to look into this on the Sentry side. I think the code path is rejecting if there isn't a Origin or Referer header at all. I'll poke at this tonight and see what the issue is.

@Madumo
Copy link
Contributor

Madumo commented Aug 27, 2014

@mattrobenolt Hi, I would just like to know if you have any update on that bug. Did you find something? Was it what you thought?

@mattrobenolt
Copy link
Contributor

Sorry, I haven't had a chance to look into it yet. 😦

@michal-filip
Copy link

I too have the same issue when using phonegap. Adding API key to application is detected and prevented in the raven library - so far I see no easy workaround.

@henry74
Copy link

henry74 commented Apr 17, 2015

Is this resolved?

@dcramer
Copy link
Member

dcramer commented May 14, 2015

Bumping this up as this came up today.

I think to support this we have to accept input from raven.js that uses a secret key.

@dcramer dcramer reopened this May 14, 2015
@dcramer
Copy link
Member

dcramer commented May 14, 2015

Actually I could be wrong. I need to confirm that '*' in the origins field doesn't allow this to work. Either way, keeping this ticket open at the very least to document how to do it.

@mattrobenolt
Copy link
Contributor

Is this fixed with XHR+CORS in 2.0?

It seems like it would be, but we don't test explicitly against PhoneGap, so I'm not 100% sure.

Please reopen if this is still an issue and we can try to address.

@d0b1010r
Copy link

Tested it in Cordova/Phonegap: Works.
Does not work from file:// in normal browser

kamilogorek pushed a commit that referenced this issue Jun 12, 2018
expose original uncaughtException to patchGlobal callback, ref #28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests