Custom exceptions throw globally aren't filtered by whitelistUrls

[bradvogel]

When some third party code throws a non-Error object, it's being collected by Raven's window.onerror handler and being fowarded to captureMessage, which doesn't use whitelistUrls to filter exceptions.

I'd expect that ALL global exceptions (that get caught by window.onerror) are passed through whitelistUrls, regardless of their type.

Code to reproduce:

  // Set up Raven:
  Raven.config('...', {
    whitelistUrls: [/myfile\.js/],
  });

  // Install window.onerror handler.
  Raven.install();

  setTimeout(function(){
     throw new Error('this will get filtered out by whitelistUrls since this isn\'t being thrown from that file');
  });

  CustomError = function(message) {
    this.message = message;
  };

  setTimeout(function(){
     throw new CustomError('this will make it through!');
  });

This is an issue if you're including third party libraries on the page that might throw their own custom error object, and not catch it.

[wearhere]

+1

[benvinegar]

@bradvogel – Your custom error needs to inherit from the Error prototype, e.g.

function CustomError = function(message) {
    this.message = message;
};
CustomError.prototype = Error.prototype;

Otherwise Raven does not consider this an error – it only knows that it is a function object, and cannot make any assertions about its properties. For example, your custom error will not have a stack property, even if it is thrown via the throw keyword.

[benvinegar]

Oh, I think I've misread. Your example was meant to (intentionally) demonstrate a non-error that passes through to captureMessage, where it is not filtered. Right?

[benvinegar]

In which case, I'm not sure what we can do. We extract the URL from an Error object's properties. A message / freeform object has no such property, so Raven.js does not know from which file the message originated from.

[bradvogel]

Hi Ben :). The throw object is actually out of our control. It's throw by third party code running on the page. So if badfile.js is throwing CustomError, it's automatically getting forwarded to Sentry, regardless of us using whitelistUrls to try to filter out all errors from badfile.js.

My thought is that the window.onerror handler should filter all incoming exceptions through whitelistUrls before determining if they're a proper Error object. Right now it gets passed to captureMessage which is exempt from the whitelistUrls filter.

[benvinegar]

Right. In your example though, onerror isn't catching the error – Raven wraps setTimeout with try/catch and likely catches it there (never reaching onerror). We do this because some browsers' onerror implementations do not provide stack traces (Safari, Edge, some versions of IE).

[bradvogel]

Ok I see. But the bug makes sense - right? I just need a way to suppress all errors from third party scripts from making it into Sentry.

[bradvogel]

:)

[wearhere]

Hey @benvinegar, cool to see this fixed. Will whitelistUrls automatically start filtering global exceptions once we upgrade?

[benvinegar]

Will whitelistUrls automatically start filtering global exceptions once we upgrade to 3.4.0?

It already does? For normal exceptions (Error), at least. This changes it so that generic messages caught via captureMessage will also apply whitelistUrls (note that you need stacktrace:true set in config).