I’d like to ask how could I disable errors with log trace on production?
When app doesn’t have connection with API, caused by server issues, user can see Ember error in console with log trace, where it is possible to see path where app is deployed. I think that it is big security issue.
When Fastboot is used and Ember application starts earlier than back-end application, user can see page with 503 server error what is good, but later there is excerpt from Fastboot with path, where app is deployed. The same security concerns.
So the best solution could be remove log trace from Ember’s error logs (user can see in the console that something is wrong, but without details) and disable log trace for Fastboot. How could it be done?
This probably isn’t the best way to do it but one option would be to override Ember.onerror with some custom code that checks what environment you are in and responds accordingly. Something along the lines of:
const onErrorSuper = Ember.onerror || function(e) {
throw e;
};
Ember.onerror = () => {
if (this.fastboot.isFastboot) {
// do nothing if we're running in fastboot
} else if (config.environment === 'production') {
// sanitize the error or something
} else {
// if not fastboot or production then throw error as usual
onErrorSuper(...args);
}
};
Thank you very much. Really express help I thought that Ember has a kind flag somewhere, that could be set in production environment. Maybe it should be present in the future?
@b-arto it’s very possible something like that does already exists… I’ve never actually messed around with it much. There’s this page in the guides which seems related but doesn’t cover exactly what you’re looking for… might be worth digging around deeper in the guides or the ember-cli docs
There is also an addon that looks relevant. I can’t speak to the addon itself but you could at least look through the source code and see what it’s doing under the hood for inspiration.
I made further investigation and find out that Fastboot is the source of unsafe log trace.
The picture presents log trace with Fastboot enabled (the same content is in the console as red highlighted usual Uncaught ErrorClasss …):
Disabling the stack trace doesn’t actually hide anything from curious people, because all the information that generates the stack trace is still sitting there inside their browser.
I suggest you run a search through your app’s build output dist directory for the path in question. You’ll probably find it in a sourcemap. If you don’t want it to leak, you need to make sure it’s not in there.
Or you could just disable sourcemaps in production, or put the actual sourcemap files behind authorization on your webserver so only your own team can access them.
I thought that Ember has a kind flag somewhere, that could be set in production environment. Maybe it should be present in the future?