Allow a list of SENTRY_JAVASCRIPT_DSN

We are preparing CodeOcean to run under multiple domains (such as open.hpi.de and openhpi.de). To ensure that Sentry is not blocked as a third-party context in any setting, we allow to set multiple DSNs. This change is backward compatible.

Author: MrSerth

app/views/layouts/application.html.slim

@@ -19,7 +19,7 @@ html lang=I18n.locale data-default-locale=I18n.default_locale
     = yield(:head)
     = csrf_meta_tags
     /= csp_meta_tag
-    meta name='sentry' data-enabled=SentryJavascript.active?.to_s data-release=SentryJavascript.release data-dsn=SentryJavascript.dsn data-environment=SentryJavascript.environment content=''
+    meta name='sentry' data-enabled=SentryJavascript.active?.to_s data-release=SentryJavascript.release data-dsn=SentryJavascript.recommended_dsn(request.host) data-environment=SentryJavascript.environment content=''
     - # rubocop:disable Lint/RedundantTypeConversion -- the `.to_s` is needed if `current_user` is `nil`. Otherwise, the `content` attribute would be omitted.
     meta name='current-user' content=current_user&.to_page_context&.to_json.to_s
     meta name='current-contributor' content=current_contributor&.to_page_context&.to_json.to_s

config/cable.yml

@@ -10,6 +10,10 @@ default: &default
   autotrim: true
   silence_polling: true
 
+  allowed_request_origins:
+    - codeocean-staging.openhpi.de
+    - codeocean-staging.open.hpi.de
+
   ### Config options for `redis`
   # url: <%= ENV.fetch("REDIS_URL") { "redis://localhost:6379/1" } %>
   # channel_prefix: codeocean_production

config/initializers/content_security_policy.rb

@@ -20,8 +20,10 @@ def self.apply_yml_settings_for(policy)
   end
 
   def self.apply_sentry_settings_for(policy)
-    sentry_host_source = get_host_source(SentryJavascript.dsn)
-    add_policy(policy, :connect_src, [sentry_host_source])
+    SentryJavascript.dsns.each do |dsn|
+      sentry_host_source = get_host_source(dsn)
+      add_policy(policy, :connect_src, [sentry_host_source])
+    end
   end
 
   def self.apply_codespaces_settings_for(policy)

config/initializers/sentry_javascript.rb

@@ -4,11 +4,30 @@
 
 class SentryJavascript
   def self.active?
-    dsn.present? && %w[development test].exclude?(environment)
+    dsns.present? && %w[development test].exclude?(environment)
   end
 
-  def self.dsn
-    ENV.fetch('SENTRY_JAVASCRIPT_DSN', nil)
+  def self.recommended_dsn(host)
+    cached_dsn(host) || matching_dsn(host) || dsns.first
+  end
+
+  def self.cached_dsn(host)
+    @cached_dsn ||= {}
+    @cached_dsn[host]
+  end
+
+  def self.matching_dsn(host)
+    matching_dsn = dsns.find do |dsn|
+      uri = URI.parse(dsn)
+      uri.host&.ends_with? host
+    end
+
+    @cached_dsn[host] = matching_dsn if matching_dsn
+    matching_dsn
+  end
+
+  def self.dsns
+    @dsns ||= ENV.fetch('SENTRY_JAVASCRIPT_DSN', '').split(',')
   end
 
   def self.release

docs/environment_variables.md

@@ -13,7 +13,7 @@ The following environment variables are specifically support in CodeOcean and ar
 | `PORT` | `7000` | Default port for the web server |
 | `PIDFILE` | `tmp/pids/server.pid` | Location of the file to store the Puma process ID |
 | `SENTRY_DSN` | ` ` | Specifies the [Sentry error reporting](https://sentry.io) endpoint for the Rails server |  
-| `SENTRY_JAVASCRIPT_DSN` | ` `    | Specifies the [Sentry error reporting](https://sentry.io) endpoint for the frontend used by browsers |  
+| `SENTRY_JAVASCRIPT_DSN` | ` `    | Specifies a list of comma-separated [Sentry error reporting](https://sentry.io) endpoints for the frontend used by browsers. A subdomain endpoint for the respective request is preferred, otherwise the first value is used. |  
 | `SENTRY_CURRENT_ENV` | ` ` | Specifies the [Sentry](https://sentry.io) environment used for error reporting |  
 | `SENTRY_TRACE_SAMPLE_RATE` | `1.0` | Specifies the sampling rate for traces in [Sentry](https://sentry.io) |  
 | `RAILS_LOG_LEVEL` | `info` in production<br>`debug` in development | Specifies how many log messages to print. The available log levels are: `debug`, `info`, `warn`, `error`, `fatal`, and `unknown`. |