No 'Access-Control-Allow-Origin' header on "envelope" API call responses

[cawel]

Important Details

How are you running Sentry?

Self-hosted.
Aptible docker image: sentry:8.7-onbuild

Description

The errors appear in my Sentry project (on sentry.my-domain.com), reaching Sentry with a "store" API call like this one:

https://sentry.my-domain.com/api/10/store/?sentry_key=XXXXXXXXXX&sentry_version=7

However, the "envelope" API calls like this one are blocked by the browser:

https://sentry.my-domain.com/api/10/envelope/?sentry_key=XXXXXXXXXX&sentry_version=7

The cause is a CORS issue:

Access to fetch at 'https://sentry.my-domain.com/api/10/envelope/?sentry_key=XXXXXXXXXX&sentry_version=7' from origin 'https://my-domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Indeed, the 'Access-Control-Allow-Origin' header is not present on an "envelope" API call response. It is however present on a "store" API call response.

I did add my domain name in the "Allowed Domains" configuration section on sentry.my-domain.com and I could confirm this had an impact on whether or not the "store" API calls reached Sentry. No impact on those "envelope" calls though.

Any hint on how to get rid of these errors?

Steps to Reproduce

1. Setup Sentry with @sentry/browser (on a Next JS project in my case)
2. Trigger an error with throw new Error('boom')
3. The "store" API call will reach Sentry, but the "envelope" API calls will not.

Sentry configuration:

import * as Sentry from '@sentry/browser';

export const init = () => {
  if (process.env.NEXT_PUBLIC_SENTRY_DSN) {
    const integrations = [];

    Sentry.init({
      enabled: process.env.NODE_ENV === 'production',
      integrations,
      dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
      release: process.env.NEXT_PUBLIC_COMMIT_SHA,
    });
  }
};

What you expected to happen

The "envelope" API calls should return a 'Access-Control-Allow-Origin' header in the response.

[BYK]

Pinging @getsentry/owners-ingest for triage

[BYK]

@cawel you selected you are using sentry.io but you mention a custom domain. Are you using self-hosted Sentry?

[BYK]

Also, are you able to share a full request log complete with request and response headers? (these headers are the most important piece actually, you can crop out the response and request bodies)

[cawel]

I've just learned I'm actually using a self-hosted Sentry, sorry for the confusion. I've updated the issue description.

[BYK]

Aptible docker image: sentry:8.7-onbuild

Wow, that's historic. I don't think the envelope endpoint will ever work there. You need to bring your Sentry back to the future or use an older version of the SDK

[BYK]

Closing as this is not actionable on our side. Let us know if we can assist you with an upgrade (or a migration to sentry.io 😉 😁 )

[cawel]

@BYK Thanks for your feedback. That explains the issue. We'll have to upgrade Sentry then!

[cawel]

For those bumping into the same issue as I have, downgrading the SDK to the latest of version 5 (which is 5.30.0 at the time of writing) fixed my issue – no more "envelope" API calls. When I had the issue I was using @sentry/[email protected] .