Skip to content

fix(core): Prevent functionToStringIntegration from throwing on cross-origin realms#22273

Open
mydea wants to merge 3 commits into
developfrom
francesconovy/js-2926-functiontostring-integrations-patched
Open

fix(core): Prevent functionToStringIntegration from throwing on cross-origin realms#22273
mydea wants to merge 3 commits into
developfrom
francesconovy/js-2926-functiontostring-integrations-patched

Conversation

@mydea

@mydea mydea commented Jul 15, 2026

Copy link
Copy Markdown
Member

The default functionToStringIntegration patches Function.prototype.toString. The patched function reads the Sentry carrier off getClient() (→ getMainCarrier()getSentryCarrier(GLOBAL_OBJ)GLOBAL_OBJ.__SENTRY__) on every .toString() invocation.

GLOBAL_OBJ is a WindowProxy in browser realms. When its browsing context is later navigated cross-origin while code from the old realm can still be invoked (e.g. a parent window holding a reference into a same-origin child iframe whose src changed to a cross-origin URL), the __SENTRY__ read throws a SecurityError.

Because the patch lives on Function.prototype, the throw is triggered by any third-party .toString() call, converting harmless introspection into uncatchable SecurityError noise that Sentry then reports as unhandled-rejection events.

Root cause

The native Function.prototype.toString never throws for these calls — the throw is introduced solely by the integration's internal carrier access. The fix wraps the patch body in a try/catch and falls back to originalFunctionToString.apply(this, args), mirroring the defensive style already used around the patch installation. This keeps the unwrap behavior intact for live realms and degrades to exact native semantics when the carrier read throws.

Fixes #21965

🤖 Generated with Claude Code

@linear-code

linear-code Bot commented Jul 15, 2026

Copy link
Copy Markdown

JS-2926

@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

size-limit report 📦

Path Size % Change Change
@sentry/browser 27.65 kB -0.02% -4 B 🔽
@sentry/browser - with treeshaking flags 26.09 kB -0.06% -15 B 🔽
@sentry/browser (incl. Tracing) 46.41 kB -0.03% -10 B 🔽
@sentry/browser (incl. Tracing + Span Streaming) 48.22 kB +0.02% +8 B 🔺
@sentry/browser (incl. Tracing, Profiling) 51.22 kB +0.04% +19 B 🔺
@sentry/browser (incl. Tracing, Replay) 85.69 kB +0.02% +17 B 🔺
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 75.31 kB +0.01% +1 B 🔺
@sentry/browser (incl. Tracing, Replay with Canvas) 90.4 kB +0.02% +17 B 🔺
@sentry/browser (incl. Tracing, Replay, Feedback) 103.03 kB -0.01% -7 B 🔽
@sentry/browser (incl. Feedback) 44.84 kB +0.02% +6 B 🔺
@sentry/browser (incl. sendFeedback) 32.44 kB -0.04% -10 B 🔽
@sentry/browser (incl. FeedbackAsync) 37.58 kB +0.02% +4 B 🔺
@sentry/browser (incl. Metrics) 28.73 kB -0.06% -17 B 🔽
@sentry/browser (incl. Logs) 28.95 kB -0.07% -20 B 🔽
@sentry/browser (incl. Metrics & Logs) 29.67 kB -0.01% -2 B 🔽
@sentry/react 29.45 kB -0.03% -8 B 🔽
@sentry/react (incl. Tracing) 48.66 kB -0.05% -22 B 🔽
@sentry/vue 33.08 kB -0.03% -7 B 🔽
@sentry/vue (incl. Tracing) 48.37 kB -0.06% -25 B 🔽
@sentry/svelte 27.68 kB +0.01% +2 B 🔺
CDN Bundle 30.05 kB -0.01% -1 B 🔽
CDN Bundle (incl. Tracing) 48.38 kB -0.05% -21 B 🔽
CDN Bundle (incl. Logs, Metrics) 31.63 kB -0.02% -5 B 🔽
CDN Bundle (incl. Tracing, Logs, Metrics) 49.7 kB -0.02% -8 B 🔽
CDN Bundle (incl. Replay, Logs, Metrics) 70.89 kB +0.04% +23 B 🔺
CDN Bundle (incl. Tracing, Replay) 85.9 kB +0.01% +2 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 87.19 kB -0.03% -20 B 🔽
CDN Bundle (incl. Tracing, Replay, Feedback) 91.7 kB +0.01% +2 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 92.98 kB +0.02% +10 B 🔺
CDN Bundle - uncompressed 89.61 kB +0.03% +23 B 🔺
CDN Bundle (incl. Tracing) - uncompressed 146.36 kB +0.02% +23 B 🔺
CDN Bundle (incl. Logs, Metrics) - uncompressed 94.31 kB +0.03% +23 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 150.33 kB +0.02% +23 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 219.04 kB +0.02% +23 B 🔺
CDN Bundle (incl. Tracing, Replay) - uncompressed 265.56 kB +0.01% +23 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 269.52 kB +0.01% +23 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 279.26 kB +0.01% +23 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 283.21 kB +0.01% +23 B 🔺
@sentry/nextjs (client) 51.21 kB -0.02% -9 B 🔽
@sentry/sveltekit (client) 46.83 kB -0.07% -31 B 🔽
@sentry/core/server 78.49 kB -0.03% -17 B 🔽
@sentry/core/browser 64.85 kB -0.02% -7 B 🔽
@sentry/node-core 62.8 kB +0.02% +10 B 🔺
@sentry/node 125.18 kB -0.02% -21 B 🔽
@sentry/node (incl. diagnostics channel injection) 140.21 kB -0.02% -20 B 🔽
@sentry/node/import (ESM hook with diagnostics-channel injection) 69.96 kB - -
@sentry/node/light 50.78 kB -0.04% -17 B 🔽
@sentry/node - without tracing 74.18 kB +0.02% +8 B 🔺
@sentry/aws-serverless 83.37 kB -0.02% -13 B 🔽
@sentry/cloudflare (withSentry) - minified 181.81 kB +0.02% +21 B 🔺
@sentry/cloudflare (withSentry) 450.13 kB +0.04% +152 B 🔺

View base workflow run

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 69701ca. Configure here.

let context = thisArg;

try {
if (SETUP_CLIENTS.has(getClient()!) && originalFunction) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unguarded non-null assertion

Low Severity

New non-null assertion on getClient()! has no comment explaining why a safer type is impossible. Elsewhere in this package the usual pattern is to bind getClient() and null-check before use, which also avoids the assertion. Flagged because it was mentioned in the PR review guidelines rules file.

Fix in Cursor Fix in Web

Triggered by project rule: PR Review Guidelines for Cursor Bot

Reviewed by Cursor Bugbot for commit 69701ca. Configure here.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is fine, if we do has(undefined) it will simply return false

mydea and others added 3 commits July 15, 2026 12:38
…-origin realms

The patched `Function.prototype.toString` reads the Sentry carrier off
`getClient()` on every invocation. When `this` (or the global object) is a
`WindowProxy` whose browsing context was navigated cross-origin, that read
throws a `SecurityError`. Since the patch lives on `Function.prototype`, any
third-party `.toString()` call hits it, turning harmless introspection into
uncatchable error noise. Wrap the patch body in a try/catch and fall back to
the native `toString` so it never throws where the native impl would not.

Fixes #21965

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mydea mydea force-pushed the francesconovy/js-2926-functiontostring-integrations-patched branch from 69701ca to 2f8b46e Compare July 15, 2026 10:38
@mydea mydea marked this pull request as ready for review July 15, 2026 10:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

FunctionToString integration's patched Function.prototype.toString throws SecurityError when its realm's browsing context was navigated cross-origin

1 participant