Skip to content

feat(toolbar): Use the CSRF token in headers and cookies when using the sentry API #106286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ryan953 wants to merge 6 commits into
base: master
Choose a base branch
from
Open

feat(toolbar): Use the CSRF token in headers and cookies when using the sentry API #106286

ryan953 wants to merge 6 commits into from

Conversation

@ryan953
Copy link
Member

@ryan953 ryan953 commented Jan 14, 2026
edited
Loading

Followup to #106059

Before we only sent it in the headers, but the API is still returning "CSRF Failed: CSRF cookie not set." so we need it in both places it seems.

This splits up the name & value parts, so we can set everything very clearly. To cleanup we dont need the cookie names again, we will just set all cookies to have a value of the emptystring.

This change sits within the boundaries we had before; no values are leaving the scope of our dns/domains. As before we're augmenting requests (adding cookies and other headers) as we proxy messages through the page, checking all the same allowlists before we even render the page. These diagrams are still relevant, but show only the cookie argument which is now both session and csfr tokens.

@ryan953
feat(toolbar): Use the CSRF token in headers and cookies when using t…
5770669 
…he sentry API

Before we only sent it in the headers, but the API is still returning "CSRF Failed: CSRF cookie not set." so we need it in both places it seems.

This splits up the name & value parts, so we can set everything very clearly. To cleanup we dont need the cookie names again, we will just set all cookies to have a value of the emptystring
@ryan953 ryan953 requested review from a team as code owners January 14, 2026 18:56
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Jan 14, 2026
sentry[bot]
sentry bot reviewed Jan 14, 2026
View reviewed changes
sentry[bot]
sentry bot reviewed Jan 14, 2026
View reviewed changes
sentry[bot]
sentry bot reviewed Jan 14, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Jan 14, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Jan 14, 2026
View reviewed changes
@ryan953 ryan953 requested review from a team, michelletran-sentry and oioki January 14, 2026 20:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

@oioki oioki Awaiting requested review from oioki

@michelletran-sentry michelletran-sentry Awaiting requested review from michelletran-sentry

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ryan953