I started seeing our CI builds fail after we upgraded from version 0.9.21

        ReferenceError: Can't find variable: Symbol

It looks like the more recent releases are using the Symbol primitive. At first I thought we could upgrade our headless browser to the latest version and then I wondered why bable wasn't polyfilling Symbol? The babel documentation links to a caveats section on core-js https://github.com/zloirock/core-js#caveats-when-using-symbol-polyfill concerning the limited use of the Symbol polyfill.

• We can't add new primitive type, Symbol returns object.
• Symbol.for and Symbol.keyFor can't be shimmed cross-realm.
• By default, to hide the keys, Symbol polyfill defines setter in Object.prototype. For this reason, uncontrolled creation of symbols can cause memory leak and the in operator is not working correctly with Symbol polyfill: Symbol() in {} // => true.

I also looked and it seems that even the latest versions of Internet Explore don't have Symbol support.

We're required to maintain browser support for Internet Explore. Is it possible to rewrite without using the Symbol primitive? I'm reading back through the commit history. Looks like symbol support was was added in version 0.9.23.

See https://github.com/lightstep/lightstep-tracer-javascript/blob/master/src/imp/platform/node/transport_httpproto.js#L114

It would be nice to get support for setting the reporter.tags which show up as "Additional Details" in the trace view.

Currently everything is in the tags of the span, which causes quite a bit of unnecessary duplication and noise in the UI because most of the time I care about the tags that were specifically set on a particular span.

As you may be aware, in Chrome 80, they're changing the way that cookies are handled if the SameSite attribute isn't set for a cookie.

While looking into cookies that would be affected for our application, we noticed the cookies set by Lightstep, the lightstep_guid%F<cookiename> cookies didn't have SameSite or Secure set. I'm not terribly familiar with what these cookies are used for, but if they are potentially affected by this change in SameSite behavior, I figured it was worth filing an issue.

Another caveat on top of this change in default SameSite behavior, is that it isn't as simple as enabling for all browsers, as certain versions of Chrome will reject if this attribute is set. The list of incompatible clients is included here, which psuedocode as well.

Let me know if there's any additional information or clarification I can provide for this.

The code does not currently encode invalid characters before storing strings as cookies.

See http://stackoverflow.com/questions/1969232/allowed-characters-in-cookies.

Currently to use in the browser you have to either load the minified bundle, which includes (and duplicates) dependencies that I may already have in my bundle, or bundle with webpack and set PLATFORM_BROWSER to true. Parcel doesn't have an option to inject these global variables or tree-shake with them, so importing lightstep-tracer and bundling with parcel will always end up bundling both platform implementations and running the Node implementation.

Span exposes a LightStep-specific API generateTraceURL(), but there is no way in code to safely check if a given OpenTracing Span is a LighStep Span with instanceof because the class is not exported.

Page fails to load on IE11 for lightstep-tracer version 0.24.3.

How I verified lightstep-tracer 0.24.3 caused IE11 page load to fail:

1. Update lightstep-tracer with yarn install lightstep-tracer. We were using this version prior (https://github.com/stephen/lightstep-tracer-javascript#stephen/fix-timing-for-proto-built)
2. Page fails to load on IE11

I am enabling xhr_instrumentation to help me get traces for the frontend of my application and I do get error logs for 400 and 500 level errors in the span logs but it would be helpful to also get an error: true tag in the same way as the span logs are being automatically populated.

The explorer does not support filtering by logs and also does not recognize errors in the logs.

This would be really helpful.

Thank you! :)

I noticed Tracer is required as a global on the window object for lightstep to run in _getXHRSpan. In our application I am setting things up within an auto generated closure:

  Tracer = require('opentracing')
  Lightstep = require('lightstep-tracer/dist/lightstep-tracer')

When the page loads I see the exception Uncaught ReferenceError: Tracer is not defined(…)

chrome.loadTimes() is used in lightstep-tracer-javascript/src/plugins/instrument_document_load.js but is going to be deprecated in late 2018 according to https://developers.google.com/web/updates/2017/12/chrome-loadtimes-deprecated.

It seems that the reason for its deprecation is that there are other more standard APIs with wider browser support. In terms of a fix do we want to use the new APIs to get this data and apply it to more than just Chrome, switch to using the new Chrome APIs and continue to only add these metrics for Chrome, or drop the feature entirely?

Hi there :)

I am wondering what the procedure is to contribute to the project?
I have a PR I would like be looked over by you guys and gals...

PR: #117

Thanks!

Please add B3 header support :)

Please see this doc for the problem statement and specifics: https://docs.google.com/document/d/1ukvnSoXkavcojlVXpCRzep8PS_guXly_NbbhHIDgbFY/edit

Opentracing docs state that decimals for nanoseconds in start times on spans is supported: https://opentracing-javascript.surge.sh/interfaces/spanoptions.html

However we only account for microseconds and not nanoseconds in our handling of startTime see below:

Our satellites expect integers, resulting in an Go unmarshalling error on the satellite side when nanosecond decimals are passed in to startTime using this tracer

-- Issue brought to attention by @Rowno please add more details if I missed anything or described it incorrectly!

There is an issue where lightstep-tracer always assumes we are running on a browser and tries to access the document object. React Native apps crash because the document is undefined. We have a workaround solution where we define a global document object fallback property as shown in the snippet below but we would prefer a permanent solution to the library.

Object.defineProperties(global, {
  document: {
    value: {
      getElementsByTagName: () => [],
      cookie: {},
    },
  },
  window: {
    value: {
      location: {
        href: '',
      },
      addEventListener: () => {}
    },
  },
  requestAnimationFrame: {
    value: setTimeout
  }
});

In the nowMicros function for the browser platform implementation we try to use window.performance before falling back to Date.now() but these sometimes disagrees with window.performance.now() by significant amounts of time, causing incorrect traces if Date.now() or start times and end times are set in spans that are part of the same report.

• The transport mode is switched from thrift to proto from version 0.20.10 which breaks the trace reporting.
• This is a breaking change and should not have been released as a patch from 0.20.9 -> 0.20.10.

Error from logs

[LightStep:WARN] Error in report: status code=404, message='Not Found', body='404 page not found' { last_report_seconds_ago: NaN }

Figured out we can override using the options,{ transport: "thrift" }

When using a more generic OpenTracing configuration strategy, for ex., using JSON, it's possible that some keys exist for other purposes, different from the actual Lightstep configuration. For ex.:

"lightstep": {
    "_comment": "https://github.com/lightstep/lightstep-tracer-javascript/#new-traceroptions",
    "access_token": "<...>",
    "component_name": "app",
    "verbosity": 3,
    "collector_host": "tracing.example.com",
}

Leaving comments in JSON is not possible and it's common to use strategies like the example above. That is one use case.

Currently, this generates an error:

Error: Invalid option _comment
    at Tracer.options (/workspace/node_modules/lightstep-tracer/lib/imp/tracer_imp.js:534:27)
    at Tracer.setPlatformOptions (/workspace/node_modules/lightstep-tracer/lib/imp/tracer_imp.js:487:18)
    at new Tracer (/workspace/node_modules/lightstep-tracer/lib/imp/tracer_imp.js:172:15)

Maybe logging a warning would suffice or accepting a constructor argument to be less strict.

There is an API which allows you to pass a custom propagator as an option, but the propagator is meant to convert back and forth between a SpanContext and a carrier. Unfortunately SpanContext is private, so there's no way to actually use the API without completely reimplementing SpanContext (or importing it from the library internals). While both are technically easy, neither seems like a good idea.

The lightstep tracing module in envoy/ambassador passes down the headers x-ot-span-context and x-request-id, none of which work with the custom tracer.extract() function.

Renaming x-request-id to ot-tracer-traceid is not an issue, but I'm not sure how to decode x-ot-span-context into something useful (assuming it's not ot-tracer-spanid).

The javascript version only provides thrift as a transport option. Is there anything that would prevent using the GRPC version available in other languages?

Hello and thank you for a great product!

We use LightStep heavily on the server side of things in our node apps and would like to also enable tracing on the browser side to have the full stack covered. Is there an effort planned for making the browser builds lightweight, lazy loadable and friendly to the modern packaging tools to enable tree shaking?

What's the minimum version of Internet Explorer this project supports? I'm noticing that requiring it breaks the page in IE9 with the error:

Unable to get value of the property 'access_token': object is null or undefined

We should centralize the config in a config file.

It'd be nice to have typescript definitions for lightstep tracer, since it extends what's in opentracing spec.

Would this repo be a good place to host such typedefs?

Please add trace-context header support

Please see this doc for the problem statement and specifics: https://docs.google.com/document/d/1ukvnSoXkavcojlVXpCRzep8PS_guXly_NbbhHIDgbFY/edit

Our internal CI security scans have detected that the version of ws==0.4.32 which is pulled in as a transitive dependency of thrift==0.10.0 (lightstep dependency) exposes 2 high severity security threats.

DoS vulnerability:
ws < 1.1.15 || >=2.0.0 <3.3.1

• websockets/ws@f8fdcd4
• https://github.com/websockets/ws/releases/tag/3.3.1

DoS vulnerability:

• https://www.npmjs.com/advisories/120

As it stands, these issues block our CI/CD pipeline.

The next minor version release of thrift (0.11.0) - makes use of ws 5.x which resolves the threats mentioned above.

Would it be possible to update the version of thrift required by the lightstep module to mitigate this threat?

We did note a bump to 0.11.0 had been attempted in the past and was rolled back #126 due to incompatibilities with older versions of node.

right now, lightstep error messages include the Date timestamp.
https://github.com/lightstep/lightstep-tracer-javascript/blob/master/src/imp/tracer_imp.js#L1254

This seems like a questionable decision because:

• it's redundant (any logging system worth its salt would do this automatically)
• it thwarts our logging infrastructure's ability to aggregate error logs appropriately.

It would be nice if lightstep put this information in a separate payload.

The debug option (a boolean) should be replaced with the verbose option (an integer).

Once this is done, documentation should also be added to the README.

From this comment in #218.

See the rule for more info.

From the specification:

error.object

object

For languages that support such a thing (e.g., Java, Python), the actual Throwable/Exception/Error object instance itself. E.g., A java.lang.UnsupportedOperationException instance, a python exceptions.NameError instance

For Javascript, this would be the Error instance, and the tag should include the message and stack properties. But message and stack are not enumerable:

> Object.getOwnPropertyDescriptors(new Error('test'))
{ stack: 
   { value: 'Error: test\n    at repl:1:34\n    at ContextifyScript.Script.runInThisContext (vm.js:23:33)\n    at REPLServer.defaultEval (repl.js:336:29)\n    at bound (domain.js:280:14)\n    at REPLServer.runBound [as eval] (domain.js:293:12)\n    at REPLServer.onLine (repl.js:533:10)\n    at emitOne (events.js:101:20)\n    at REPLServer.emit (events.js:191:7)\n    at REPLServer.Interface._onLine (readline.js:238:10)\n    at REPLServer.Interface._line (readline.js:582:8)',
     writable: true,
     enumerable: false,
     configurable: true },
  message: 
   { value: 'test',
     writable: true,
     enumerable: false,
     configurable: true } }

so LightStep only shows an empty object:

I think it would make sense to special-case error.object here to include these non-enumerable properties, as the tag would always be an Error instance.

Requested for configuration convenience in a polyglot environment. Specifically, in Go it is a convention to use0 to mean default / "unset".

Since port 0 is never a valid port, it's reasonable to adopt this convention for the JS port setting as well.

It's extremely hard to debug production problems in the node lightstep distribution, because the distributed code is minified. This seems highly unusual -- I don't think I've ever seen people minify their nodejs code for distribution. Is there some reasoning behind it?

The library crashes the WebWorker at this position:
https://sourcegraph.com/github.com/lightstep/lightstep-tracer-javascript@789482ac598be711c6439c38553df52d47141273/-/blob/src/imp/platform/browser/options_parser.js#L6:19

Because it tries to access the DOM, which is isn't available in a WebWorker.

We have NGINX proxying to our satellites and nginx has a default max payload size of 1MB. We've seen:

• Satellites were not accepting traffic for a brief amount of time
• Client buffer filled up
  (Somewhere in here Satellites restarted)
• Satellites start accepting traffic again
• By this point client buffer was too big with the default span count limit of 4096
• Client tried to flush to satellites
• Rejected by NGINX config of max payload size of 1MB
• Buffer stays full as more spans are reported but can’t flush due to NGINX limit, hence increased memory usage

There looks to be a clean path to implementing this.

• https://github.com/lightstep/lightstep-tracer-javascript/blob/master/src/imp/tracer_imp.js#L1085
• https://github.com/lightstep/lightstep-tracer-javascript/blob/master/src/imp/tracer_imp.js#L814

If possible it would also be nice to have an option to set max buffer size bytes:

• Configure max buffer size bytes
• if a span would go over the size would flush
  I'm not sure of the performance implications of serializing across the different protocols. Ie are records concatenated so each span can be serialized and added to each other? or is there a different data structure that requires an array of spans making it not possible to do this??

We are working on our first LightStep integration and noticed that the minified client is quite large, at 446KB. This seems to be a regression introduced by #111. Prior to that patch, the client was 71.8KB.

When trying to use this library in a browser extension (Chrome or Firefox) the extension will throw with

Error: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' blob:".

Chrome and Firefox do not allow eval( in extensions because it is a security risk.

This seems to be related to some Google library bundled (I assume for Proto support?), search https://github.com/lightstep/lightstep-tracer-javascript/blob/master/dist/lightstep-tracer.js for eval(.

is that supposed to be Number.MAX_VALUE?

Hey @bcronin,

I've noticed that the package version string is always a version behind the latest release in the dist/lightstep-tracer.js file. I was wondering what version of the library I am using when I install 0.9.27?

$ npm ls lightstep-tracer
[email protected] /Users/lthomas1/me/github/librato/metrics.js
└── [email protected]

Can you confirm?

Is there any way we can speed it up?

We would like to be able to add http context headers to the XHR requests when xhr_instrumentation is enabled.

Either doing it automatically or by accepting a callback which would make the span instance and the request available.

Having access to the span instance would also be useful to set more meaningful names (e.g. url pathnames), mangle url parameters (e.g. user information) or maybe remove sensitive headers from the spans, for example.

We're seeing the following error in production:

{"name"=>"TypeError", "message"=>"t.substr is not a function", "stack"=>"TypeError: t.substr is not a function\n at o (/usr/local/23307-3df9909/node_modules/lightstep-tracer/dist/lightstep-tracer-node.js:3:2991)\n at /usr/local/23307-3df9909/node_modules/lightstep-tracer/dist/lightstep-tracer-node.js:3:5051\n at …a.value (/usr/local/23307-3df9909/node_modules/lightstep-tracer/dist/lightstep-tracer-node.js:3:5501)\n at ClientRequest. (/usr/local/23307-3df9909/node_modules/lightstep-tracer/dist/lightstep-tracer-node.js:3:4971)\n at emitOne (events.js:77:13)\n at ClientRequest.emit (events.js:169:7)\n at Socket.socketCloseListener (_http_client.js:232:9)\n at emitOne (events.js:82:20)\n at Socket.emit (events.js:169:7)\n at TCP._onclose (net.js:477:12)"}

When I unwind the minified code, it appears to be due to this line:

which sometimes calls truncatedString(undefined) when payload hasn't been initialized yet

This would allow properties of spanContext to be read without accessing private variables. Alternatively, the private variables could simply be made public, though this seems less safe. Also because the "private" variables have thus far been used in a public way, changing them would be a breaking change, where adding new public getters would not be.

This error happens with opentracing v0.14

/.../node_modules/lightstep-tracer/lib/imp/span_imp.js:300
}(_opentracing2.default.Span);
                       ^

TypeError: Cannot read property 'Span' of undefined

The reason is that the lightstep tracer incorrectly imports a non-existing default export:

import opentracing from 'opentracing'

instead of

import * as opentracing from 'opentracing'

as there is no default export:
https://sourcegraph.com/github.com/opentracing/opentracing-javascript/-/blob/src/index.ts

The examples in:
https://github.com/lightstep/lightstep-tracer-javascript/blob/master/doc/cookbook.md

use tracer.join, which was removed in v0.10
https://github.com/opentracing/opentracing-javascript#v09x-to-v010x

E.g. right before around here (instrument_fetch.js#L190) we could run a hook/callback like:

tags = extraTagsHook(tags);

and the extraTagsHook would be passed in where the tracer is instantiated, e.g:

opentracing.initGlobalTracer(new lightstep.Tracer({
    access_token   : '{your_access_token}',
    component_name : '{your_service_or_app_name}',
    extraTagsHook: tags => {
      tags['web.origin.pathname'] = window.location.pathname;
      return tags;
    }
}));

WDYT?

Cheers!

related #90

lightstep-tracer version: 0.24.0-no_protobuf
Browser: Google Chrome 78.0.3904.97 (Official Build) (64-bit)

Issue:
We have a page that loads lightstep-tracer, and that page is sometimes loaded inside an iframe. When this happens, lighstep-tracer triggers an error in the browser that reads "Security Error: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document.", which causes the tracer to fail to load. I am only able to reproduce this when third-party cookies are disabled in Chrome.

It looks to me like this is coming from this code path: