Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CSP Errors #147

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions etc/csp_whitelist.xml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
<policy id="script-src">
<values>
<value id="sentry-cdn" type="host">https://browser.sentry-cdn.com</value>
<value id="logrocket-cdn" type="host">https://cdn.lr-ingest.io</value>
</values>
</policy>
<policy id="connect-src">
Expand Down
132 changes: 70 additions & 62 deletions view/frontend/templates/script/sentry.phtml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
// phpcs:disable Magento2.Templates.ThisInTemplate.FoundThis

/** @var \JustBetter\Sentry\Block\SentryScript $block */
/** @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer */

if (!$block->canUseScriptTag($block->getNameInLayout())) {
return;
}
Expand All @@ -26,79 +28,86 @@ $remoteFile = sprintf(
?>

<script src="<?= /** @noEscape */$remoteFile ?>" crossorigin="anonymous"></script>
<script>
<?php
// The following script can be omitted in which case the
// `Chessio_Matomo/js/tracker' component will inject the tracker script instead.
// However that might cause the tracker script to miss the `DOMContentLoaded'
// event which breaks the link tracking feature.
$scriptString = <<<script
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While necessary this reduces readability quite a lot, Is there some other way we can do this?
Like loading a separate phtml file with the script as a string (, Possibly stripping the script tag) and passing that to the secureRender->renderTag function, so we can still keep regular script structure.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@indykoning i created a pull request in regard of this comment, see changes in #157

if (typeof Sentry !== 'undefined') {
Sentry.init({
dsn: '<?= $block->escapeUrl(trim($block->getDSN())) ?>',
release: '<?= $block->escapeHtml(trim($block->getVersion())) ?>',
environment: '<?= $block->escapeHtml(trim($block->getEnvironment())) ?>',
dsn: '{$block->escapeUrl(trim($block->getDSN()))}',
release: '{$block->escapeHtml(trim($block->getVersion()))}',
environment: '{$block->escapeHtml(trim($block->getEnvironment()))}',
integrations: [
<?php if ($block->isTracingEnabled()): ?>
Sentry.browserTracingIntegration({
script;
if ($block->isTracingEnabled()) {
$scriptString .= "Sentry.browserTracingIntegration({
enableInp: true,
}),
<?php endif ?>
<?php if ($block->useSessionReplay()): ?>
Sentry.replayIntegration({
blockAllMedia: <?= $block->escapeHtml($block->getReplayBlockMedia() ? 'true' : 'false') ?>,
maskAllText: <?= $block->escapeHtml($block->getReplayMaskText() ? 'true' : 'false') ?>,
})
<?php endif ?>
],
<?php if ($block->isTracingEnabled()): ?>
tracesSampleRate: <?= $block->escapeHtml($block->getTracingSampleRate()) ?>,
<?php endif ?>
<?php if ($block->useSessionReplay()): ?>
replaysSessionSampleRate: <?= $block->escapeHtml($block->getReplaySessionSampleRate()) ?>,
replaysOnErrorSampleRate: <?= $block->escapeHtml($block->getReplayErrorSampleRate()) ?>,
<?php endif ?>
ignoreErrors: <?= /** @noEscape */ $block->getIgnoreJsErrors() ?>,
<?php if ($block->stripStaticContentVersion() || $block->stripStoreCode()): ?>
beforeSend: function(event) {
}),";
}
if ($block->useSessionReplay()) {
$scriptString .= "Sentry.replayIntegration({
blockAllMedia: {$block->escapeHtml($block->getReplayBlockMedia() ? 'true' : 'false')},
maskAllText: {$block->escapeHtml($block->getReplayMaskText() ? 'true' : 'false')},
}),";
}
$scriptString .= '],';
if ($block->isTracingEnabled()) {
$scriptString .= "tracesSampleRate: {$block->escapeHtml($block->getTracingSampleRate())},";
}

if ($block->useSessionReplay()) {
$scriptString .=
"replaysSessionSampleRate: {$block->escapeHtml($block->getReplaySessionSampleRate())},
replaysOnErrorSampleRate: {$block->escapeHtml($block->getReplayErrorSampleRate())},";
}

$scriptString .= "ignoreErrors: {$block->getIgnoreJsErrors()},";

if ($block->stripStaticContentVersion() || $block->stripStoreCode()) {
$scriptString .= "beforeSend: function(event) {
event.exception.values.map(function (value) {
if (value.stacktrace === undefined || ! value.stacktrace) {
return value;
}

<?php if ($block->stripStaticContentVersion()): ?>
value.stacktrace.frames.map(function (frame) {
frame.filename = frame.filename.replace(/version[0-9]{10}\//, '');
}";
if ($block->stripStaticContentVersion()) {
$scriptString .= "value.stacktrace.frames.map(function (frame) {
frame.filename = frame.filename.replace(/version[0-9]{10}\//, '');
return frame;
});";
}
if ($block->stripStoreCode()) {
$scripetString .= "value.stacktrace.frames.map(function (frame) {
frame.filename = frame.filename.replace('/{$block->escapeHtml($block->getStoreCode())}/', '/');
return frame;
});
<?php endif; ?>

<?php if ($block->stripStoreCode()): ?>
value.stacktrace.frames.map(function (frame) {
<?php // phpcs:disable Generic.Files.LineLength ?>
frame.filename = frame.filename.replace('/<?= $block->escapeHtml($block->getStoreCode()); ?>/', '/');
<?php // phpcs:enable Generic.Files.LineLength ?>
return frame;
});
<?php endif; ?>

return value;
});";
}
$scriptString .= "return value;
});
return event;
}
<?php endif; ?>
});
}";
}
</script>

$scriptString .= "});
}";

echo $secureRenderer->renderTag('script', [], $scriptString, false);
?>
<?php if ($block->useLogRocket()): ?>
<script src="https://cdn.lr-ingest.io/LogRocket.min.js" crossorigin="anonymous"></script>
<script>
window.LogRocket && window.LogRocket.init('<?= /* @noEscape */ trim($block->getLogrocketKey()) ?>');
</script>
<script>
LogRocket.getSessionURL(sessionURL => {
Sentry.configureScope(scope => {
scope.setExtra("sessionURL", sessionURL);
});
<?php
$scriptString = <<<script
window.LogRocket && window.LogRocket.init('{$block->getLogrocketKey()}');
LogRocket.getSessionURL(sessionURL => {
Sentry.configureScope(scope => {
scope.setExtra("sessionURL", sessionURL);
});
});
script;

<?php if ($block->useLogRocketIdentify()): ?>

if ($block->useLogRocketIdentify()) {
$scriptString = <<<script
define('customerData',
['jquery', 'Magento_Customer/js/customer-data'],
function ($, customerData) {
Expand Down Expand Up @@ -151,8 +160,7 @@ if (typeof Sentry !== 'undefined') {

});
});


<?php endif; ?>
</script>
<?php endif; ?>
script;
}
echo $secureRenderer->renderTag('script', [], $scriptString, false);
endif;
Loading