Merge pull request #1345 from hypothesis/add-sentry-url-whitelist

Whitelist Sentry error reports to only include errors from our code

src/sidebar/util/sentry.js

@@ -13,6 +13,22 @@ const warnOnce = require('../../shared/warn-once');
 let eventsSent = 0;
 const maxEventsToSendPerSession = 5;
 
+/**
+ * Return the origin which the current script comes from.
+ *
+ * @return {string|null}
+ */
+function currentScriptOrigin() {
+  try {
+    // nb. IE 11 does not support `document.currentScript` and this property
+    // is only available while a `<script>` tag is initially being executed.
+    const scriptUrl = new URL(document.currentScript.src);
+    return scriptUrl.origin;
+  } catch (e) {
+    return null;
+  }
+}
+
 /**
  * Initialize the Sentry integration.
  *
@@ -22,10 +38,23 @@ const maxEventsToSendPerSession = 5;
  * @param {SentryConfig} config
  */
 function init(config) {
+  // Only send events for errors which can be attributed to our code. This
+  // reduces noise in Sentry caused by errors triggered by eg. script tags added
+  // by browser extensions. The downside is that this may cause us to miss errors
+  // which are caused by our code but, for any reason, cannot be attributed to
+  // it. This logic assumes that all of our script bundles are served from
+  // the same origin as the bundle which includes this module.
+  //
+  // If we can't determine the current script's origin, just disable the
+  // whitelist and report all errors.
+  const scriptOrigin = currentScriptOrigin();
+  const whitelistUrls = scriptOrigin ? [scriptOrigin] : null;
+
   Sentry.init({
     dsn: config.dsn,
     environment: config.environment,
     release: '__VERSION__', // replaced by versionify
+    whitelistUrls,
 
     // See https://docs.sentry.io/error-reporting/configuration/filtering/?platform=javascript#before-send
     beforeSend: (event, hint) => {

src/sidebar/util/test/sentry-test.js

@@ -4,6 +4,7 @@ const sentry = require('../sentry');
 
 describe('sidebar/util/sentry', () => {
   let fakeDocumentReferrer;
+  let fakeDocumentCurrentScript;
   let fakeSentry;
   let fakeWarnOnce;
 
@@ -31,11 +32,18 @@ describe('sidebar/util/sentry', () => {
       fakeDocumentReferrer = sinon.stub(document, 'referrer');
       fakeDocumentReferrer.get(() => 'https://example.com');
 
+      fakeDocumentCurrentScript = sinon.stub(document, 'currentScript');
+      fakeDocumentCurrentScript.get(() => ({
+        src:
+          'https://cdn.hypothes.is/hypothesis/1.123.0/build/scripts/sidebar.bundle.js',
+      }));
+
       // Reset rate limiting counters.
       sentry.reset();
     });
 
     afterEach(() => {
+      fakeDocumentCurrentScript.restore();
       fakeDocumentReferrer.restore();
     });
 
@@ -55,6 +63,36 @@ describe('sidebar/util/sentry', () => {
       );
     });
 
+    it('configures Sentry to only report errors that can be attributed to our code', () => {
+      sentry.init({
+        dsn: 'test-dsn',
+        environment: 'dev',
+      });
+
+      assert.calledWith(
+        fakeSentry.init,
+        sinon.match({
+          whitelistUrls: ['https://cdn.hypothes.is'],
+        })
+      );
+    });
+
+    it('disables the URL whitelist if `document.currentScript` is inaccessible', () => {
+      fakeDocumentCurrentScript.get(() => null);
+
+      sentry.init({
+        dsn: 'test-dsn',
+        environment: 'dev',
+      });
+
+      assert.calledWith(
+        fakeSentry.init,
+        sinon.match({
+          whitelistUrls: null,
+        })
+      );
+    });
+
     it('adds extra context to reports', () => {
       sentry.init({ dsn: 'test-dsn', environment: 'dev' });
       assert.calledWith(