Allow the secure fetching of sourcemaps

[issacgerges]

I'd love the ability to secure the fetch of certain js sourcemaps via something like an auth token.

At the moment, the service seems to assume sourcemaps are publicly available via HTTP

allowed_origins: A list of "allowed origin patterns" that control what URLs we are allowed to scrape from. Allowed origins may be defined in several ways:http://domain.com/[:port]: Exact match for base URI (must include port).
*: Allow any domain.
*.[domain.com](http://domain.com/): Matches [domain.com](http://domain.com/) and all subdomains, on any port.
[domain.com](http://domain.com/): Matches [domain.com](http://domain.com/) on any port.
*:port: Wildcard on hostname, but explicit match on port.
headers: A map of headers to send with every HTTP request while scraping.

A custom header could be used to limit access but it's a bit clunky as

• The caller is required to provide it
• The headers will be sent on every http request, and easily leaked

I also noticed the Sentry source option, but these seem Sentry specific?

[Litarnus]

Hi @issacgerges. Thanks for reaching out. So far we only support the header solution as you mentioned. We would have to discuss this further internally to look into different solutions, but I can't tell you the timeline for it right now.

[issacgerges]

Thanks for the quick reply @Litarnus. Can you help me understand the purpose of the Sentry source on symboilcate-js? Assuming I've allowed sentry to retrieve my sourcemaps would that be something I could use?

[loewenheim]

Hi,

the "default" way to use Symbolicator is not by itself, but in connection with Sentry. In particular, for JS symbolication, you ideally upload your sourcemaps to Sentry (e.g. with sentry-cli). The Sentry source that gets passed to Symbolicator then tells it where it can find the sourcemaps you have uploaded to Sentry.