Chrome Extension using `@sentry/browser` gets rejected

### Is there an existing issue for this?

- [x] I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
- [x] I have reviewed the documentation https://docs.sentry.io/
- [x] I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

### How do you use Sentry?

Sentry Saas (sentry.io)

### Which SDK are you using?

@sentry/browser

### SDK Version

8.34.0

### Framework Version

_No response_

### Link to Sentry event

_No response_

### Reproduction Example/SDK Setup

```javascript
import * as Sentry from '@sentry/browser';

Sentry.init({ dsn: sentryDsn}); // (does not matter)
```

Use this in a Chrome Extension in the service worker.
In the content script we setup Sentry as outlined in these [official docs](https://docs.sentry.io/platforms/javascript/best-practices/shared-environments/) &mdash; but just using it in a service worker is enough to trigger this.

### Steps to Reproduce

1. Submit the extension to the Chrome Webstore
2. Wait


### Expected Result

* Extension is approved by the reviewers

### Actual Result

* Extension is rejected by the reviewers

The given reason:

```
Violating Content:
Code snippet: assets/[snip].js: const o = _b(n), i = k.document.createElement("script"); i.src = o, i.crossOrigin = "anonymous", i.referrerPolicy = "origin", t && i.setAttribute("nonce", t);
function _b(e) { const t = R(), n = t && t.getOptions(), r = n && n.cdnBaseUrl || "https://browser.sentry-cdn.com/"; return new URL(`/${yt}/${e}.min.js`, r).toString()
```

When looking up this code, it's coming from `@sentry/browser` and it looks like it's being used twice;

1) to lazy load integrations
2) and to load the "showReportDialog" feature

We use neither of these, yet still get rejected.

Probably not coincidentally, Chrome now is finally actually phasing out MV2 extensions ([source](https://developer.chrome.com/docs/extensions/develop/migrate/mv2-deprecation-timeline)), and only with MV3 remote code is not allowed to be executed. My guess is that they only started checking now.

It might be debatable that this is a bug, but I consider it as such because browser extensions seem to be [officially supported](https://docs.sentry.io/platforms/javascript/best-practices/shared-environments/).

The current work-around that I am using is to use `patch-package` to remove the code that injects a script tag in the `lazyLoadIntegration` and `showReportDialog` functions.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Chrome Extension using `@sentry/browser` gets rejected #14010

SpaceK33z
openedon Oct 17, 2024

Is there an existing issue for this?

How do you use Sentry?

Which SDK are you using?

SDK Version

Framework Version

Link to Sentry event

Reproduction Example/SDK Setup

Steps to Reproduce

Expected Result

Actual Result

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Chrome Extension using @sentry/browser gets rejected #14010

Description

SpaceK33zopenedon Oct 17, 2024