Option to not send sentry-trace header to certain origins

[bhollis]

• Review the documentation: https://docs.sentry.io/
• Search for existing issues: https://github.com/getsentry/sentry-javascript/issues
• Use the latest release: https://github.com/getsentry/sentry-javascript/releases
• Provide a link to the affected event from your Sentry account

Package + Version

• @sentry/browser
• @sentry/node
• raven-js
• raven-node (raven for node)
• other: @sentry/tracing

Version:

6.0.1

Description

We call a third party API for most of our app's interactions, where we have no control over their Access-Control-Allow-Headers response. I'd love to automatically record spans for my calls to this API, but the current integration always adds the sentry-trace header, which causes CORS to fail. I'd love to be able to exclude this header from being sent for that origin, since we wouldn't be able to link up the traces with a third party anyway.

[medialoungeml]

This would be nice to have, we have a similar issue where we have a script hosted on a third part domain that calls their internal API with AJAX but this straight up fails due to CORS restrictions when using the tracing integration.

I think this it because sentry tries to wrap AJAX calls with its own function so requests are sent as coming from our domain instead of the third party.

Not sure if there's a workaround for this right now.

[raiviskrumins]

You can use tracingOrigins to filter on which requests sentry-trace header will be added

[bhollis]

@raiviskrumins that's right, but it also prevents automatic tracing of those origins. I'd like to have tracing, but not send the header.

[lukasmatta]

Do I understand it correctly that in order to fetch an error produced by API call, that API endpoint need to match one of the regexps in tracingOrigins and also the sentry-trace will be automatically attached to that request?

I would like to track an error but without attaching the sentry-trace header as it produces a CORS error (REST API is out of my scope, so I can't modify CORS headers)

[dbhoang]

Hi there, I just wanted to bump this. We're experiencing this exact same error with a third party API we're seeing.

[iongion]

The same, calling our own private api attaches sentry-trace header to each fetch request and requires us to whitelist in Access-Control-Allow-Headers, this is problematic, any update on it ? The link provided above is not accessible. https://docs.sentry.io/platforms/javascript/performance/included-instrumentation/#tracingorigins - this one is https://docs.sentry.io/platforms/javascript/performance/instrumentation/automatic-instrumentation/#tracingorigins but there is no option to negate a pattern, I wish exactly the opposite/negate, not to attach the header for specific domains.

Mitigation so far

          new Integrations.BrowserTracing({
            tracingOrigins: ['::1'],
          }),

Thus, it will attach only when ipv6 local domain, which is rarely used (we prefer localhost, 127.0.0.1.. etc)

[mattfysh]

There's usually a way to access the underlying modules and remove the additional header that sentry has added, e.g. in @sentry/node I believe you could do something like:

import http from 'http'

class StrippingAgent extends http.Agent {
  addRequest(req, options) {
    if (!options.stripTracingHeader) {
      return super.addRequest(req, options)
    }
    req.removeHeader('sentry-trace')
    const { 'sentry-trace': x, ...headers } = options.headers
    const forward = { ...options, headers }
    return super.addRequest(req, forward)
  }
}

const agent = new StrippingAgent()

http.request(url, {
  agent,
  stripTracingHeader: true,
})

Not 100% sure if this will work but I'll be giving it a shot tomorrow. edit: just did a quick test and it seems to work

This is for the node library. I'd be happy to look into a browser solution if needed?

Relevant code: https://github.com/getsentry/sentry-javascript/blob/master/packages/node/src/integrations/http.ts#L120-L124

[smeubank]

Hi all,

This new feature should resolve, sorry we added it but forgot to respond to this particular issue.

https://develop.sentry.dev/sdk/performance/#tracepropagationtargets

[smeubank]

will close the issue, but please let me know if we should reconsider something!