Missing Access-Control-Allow-Credentials CORS header #6970
Comments
|
Do you literally have |
|
Also, from our perspective, we don’t need this header and isn’t required to use raven-js as you mentioned. What is triggering the logs you see? Is that due to strict stuff on your site? I’ve never seen this before or reported by anyone else. I’d rather not add more CORS stuff that we don’t actually need without a reason. But this is probably trivial enough to just add. |
|
No I do not have See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials documentation about this header. |
|
Note that I was able to reproduce this on firefox57 and chromium63 with default settings (I didn't make any customization about security or features on these browsers). |
Right, my point is this request doesn't actually use and cookies to report anything. Nor do we read the response back. So this shouldn't be actually impacting anything. But with that said, I don't really see the harm in adding this header, I just have never seen this be an issue before. |
|
On second thoughts, doesn't it feel better that we're explicitly not allowing cookies to be sent? It seems better from my perspective that we're not tracking extra stuff about your users or something through cookies. Is there something we can do to make this not yell loudly if this is intended behavior? /cc @benvinegar ? |
|
OK so issue is maybe in raven-js side then as lib should not send cookies and then browser will not block response... |
|
Right, but we're not explicitly doing that. iirc that's just normal browser behavior. I'll bring it up with @getsentry/sdks team and see if there's anything we can actually change here to explicitly work around this so it's less noisy. This is the first I've heard of this or seen, so not sure if something new changed or browsers just recently started being noisier about this. |
|
@kamilogorek will know more about this, but here's some starting points:
|
|
Ah, that makes sense. Yeah, I think if on-premise needs cookies, they should be the exception and pass custom |
|
I'm going to go ahead and close the issue here since the raven-js PR should address this. Thanks everyone! <3 |
|
Fixed in |
|
For those coming from google, the error is probably something like: The fix is in raven 3.22.1, see the release notes |
We are using raven-js to push events to sentry.io platform.
When a new event is pushed,
Access-Control-Allow-CredentialsCORS header is missing from sentry server response and so response content is blocked by browser.As requests are POST ones and response seems to not be actually processed by raven-js this is non-blocking but it is polluting browser console and will possibly cause issue when raven-js will need response content.
See below complete error displayed by browser :
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://sentry.io/api/:id/store/?sentry_version=7&sentry_client=raven-js%2F3.22.0&sentry_key=:key. (Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’).The text was updated successfully, but these errors were encountered: