Sentry code triggering violation from Google manifest v3 during publication #14579

rodolfoBee · 2024-12-04T17:57:23Z

Is there an existing issue for this?

I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
I have reviewed the documentation https://docs.sentry.io/
I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which SDK are you using?

@sentry/browser

SDK Version

8.9.1

Framework Version

No response

Link to Sentry event

No response

Reproduction Example/SDK Setup

No response

Steps to Reproduce

NA

Expected Result

No violation is to be triggered when using the NPM package as described here: https://docs.sentry.io/platforms/javascript/best-practices/shared-environments/

Actual Result

Violation report:

Technical Requirements - Additional Requirements for Manifest V3:
Violation:
Including remotely hosted code in a Manifest V3 item.
and
Having obfuscated code in the package.
Violating Content:
Code snippet:

 assets/index.html-wmZQQl7D.js: unction
getScriptURL(ar) { const rr = getClient(), cr = rr &&
rr.getOptions(), lr = cr && cr.cdnBaseUrl ||
"https://browser.sentry-cdn.com"; return new
URL(`/${SDK_VERSION}/${ar}.min.js`, lr).toString() } fr =
getScriptURL(cr), dr = WINDOW$4.document.
createElement("script"); dr.src = fr,"

It seems to be from this file: https://github.com/getsentry/sentry-javascript/blob/develop/packages/browser/src/utils/lazyLoadIntegration.ts

The text was updated successfully, but these errors were encountered:

Lms24 · 2024-12-05T09:17:32Z

We need more information to debug this:

What kind of application is the SDK used in? A browser extension?
How is this reproducible?

ebloom19 · 2024-12-05T09:34:50Z

We need more information to debug this:

What kind of application is the SDK used in? A browser extension?

How is this reproducible?

Yes it is a browser extension listed in the Chrome Web Store. As of their manifest v3 restrictions it has flagged the mentioned points.

Unfortunately the only way to reproduce is to resubmit the extension to the web store and wait for the team to audit the update and either accept or reject.

Here is an example of a similar issue faced by another library.

PostHog/posthog-js#1394

mydea · 2024-12-05T10:26:39Z

This is likely a duplicate of #14010.

I'll close this in favor of that issue, feel free to add more thoughts there.

TLDR: This should be tree-shaken if you do not use it. What exact config/init is used, and what build config? This likely needs to be tree shaken out, so maybe something has to be configured in the bundler or similar 🤔

getsantry bot added the Waiting for: Product Owner label Dec 4, 2024

getsantry bot added this to GitHub Issues with 👀 3 Dec 4, 2024

getsantry bot moved this to Waiting for: Product Owner in GitHub Issues with 👀 3 Dec 4, 2024

github-actions bot added the Package: browser Issues related to the Sentry Browser SDK label Dec 4, 2024

getsantry bot removed the Waiting for: Product Owner label Dec 5, 2024

getsantry bot removed the status in GitHub Issues with 👀 3 Dec 5, 2024

Lms24 added Waiting for: Community Waiting for: Product Owner labels Dec 5, 2024

getsantry bot removed Waiting for: Product Owner Waiting for: Community labels Dec 5, 2024

Lms24 added the Waiting for: Community label Dec 5, 2024