Skip to content

7.17.1 attaching baggage header to third-party requests breaking CORS policies #6077

@redbugz

Description

@redbugz

Is there an existing issue for this?

How do you use Sentry?

Sentry Saas (sentry.io)

Which package are you using?

@sentry/react

SDK Version

7.17.1

Framework Version

React 16.x

Link to Sentry event

No response

Steps to Reproduce

Our app was running fine using sentry/tracing 7.16.0
We deployed new code with sentry/tracing 7.17.1
A bunch of third party requests started failing with CORS errors: blocked by CORS policy: Request header field baggage is not allowed by Access-Control-Allow-Headers in preflight response.
We roll back to previous version, errors go away

in our test environment, with Sentry enabled and sentry/tracing at 7.17.1, CORS errors on third party requests to services on other domains that we don't control
with Sentry disabled, everything is fine
with Sentry/tracing on 7.16.0 and enabled, everything is fine

Expected Result

No CORS errors on third-party requests, no baggage header attached to third party requests

Actual Result

request has been blocked by CORS policy: Request header field baggage is not allowed by Access-Control-Allow-Headers in preflight response.

I have to assume this was caused by #6039
We use default tracing config

        new TracingIntegrations.BrowserTracing(),

Which according to the docs:
https://docs.sentry.io/platforms/javascript/performance/instrumentation/automatic-instrumentation/#tracingorigins
should only impact calls to localhost and the same domain/origin as the page, but this does not seem to be happening

Metadata

Metadata

Assignees

No one assigned

    Labels

    Package: browserIssues related to the Sentry Browser SDK

    Type

    No type

    Projects

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions