fix(toolbar): Include credentials with fetch requests (#82108)

ryan953 · evanh · commit ce839efaf7c3 · 2024-12-17T13:28:02.000-05:00
Our fetch requests are cross-domain by design, we're making requests from a customer domain like `acme.sentry.io` into a an region like `us.sentry.io`. Therefore we need to include credentials. This is also how the website is configured: https://github.com/getsentry/sentry/blob/aa22f5d2373fc19e224bc9cc1fb30c405f05d782/static/app/api.tsx#L338 More docs: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#including_credentials Previously we had `same-origin` which worked because we weren't using the regionUrl. We were instead sending api requests to the customer domain at `acme.sentry.io`. This meant that api requests were slower than using the regionUrl, but and also we were unable to make requests for api endpoints that don't include an `/:organization/` segment. So using the regionUrl is an improvement, and this PR updates the credentials field to match. Another thing to consider is that before we were using `window.location.origin` to make requests. That has since been replaced by https://github.com/getsentry/sentry/blob/aa22f5d2373fc19e224bc9cc1fb30c405f05d782/src/sentry/templates/sentry/toolbar/iframe.html#L31 so we can trust that we're always sending these credentials off to a domain that the server trusts and told us about. Related to #81942
diff --git a/src/sentry/templates/sentry/toolbar/iframe.html b/src/sentry/templates/sentry/toolbar/iframe.html
@@ -161,7 +161,7 @@
             const initWithCreds = {
               ...init,
               headers: { ...init.headers, ...bearer },
-              credentials: 'same-origin',
+              credentials: 'include',
             };
             const response = await fetch(url, initWithCreds);
             return {
