Web - Workspace - Console error shows up when creating a new workspace

[mitarachim]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Version Number: 9.0.76-6
Reproducible in staging?: Yes
Reproducible in production?: Yes
If this was caught on HybridApp, is this reproducible on New Expensify Standalone?: N/A
If this was caught during regression testing, add the test name, ID and link from TestRail: Exp
Email or phone of affected tester (no customers): [email protected]
Issue reported by: Applause Internal Team
Device used: Mac 15.0 / Chrome
App Component: Workspace Settings

Action Performed:

1. Go to staging.new.expensify.com
2. Log in with a new account (no workspace).
3. Open FAB.
4. Click New workspace.

Expected Result:

There will be no console error.

Actual Result:

Console error shows up when creating a new workspace.

This issue only happens when creating the first workspace on accounts without workspace.

Workaround:

Unknown

Platforms:

• Android: Standalone
• Android: HybridApp
• Android: mWeb Chrome
• iOS: Standalone
• iOS: HybridApp
• iOS: mWeb Safari
• MacOS: Chrome / Safari
• MacOS: Desktop

Screenshots/Videos

Bug6694138_1734166977890.20241214_165943.mp4

Bug6694138_1734166977907!staging.new.expensify.com-1734166801906.txt

View all open jobs on GitHub

Issue Owner

Current Issue Owner: @arosiclair

[melvin-bot]

Triggered auto assignment to @Christinadobrzyn (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[Christinadobrzyn]

I'm not getting an error - asking QA to retest - https://expensify.slack.com/archives/C9YU7BX5M/p1734369688951269

[kavimuru]

Tester is still able to reproduce.

20241217_034255.mp4

[Christinadobrzyn]

Thanks @kavimuru! Ah it's only in the console... hum... I don't know how important that is to fix. Going to ask the team.

https://expensify.slack.com/archives/C05LX9D6E07/p1734476966247799

[Christinadobrzyn]

Asking Kavi for some more information about the console error based on the Slack chat with the team - https://expensify.slack.com/archives/C9YU7BX5M/p1734478832205519?thread_ts=1734369688.951269&cid=C9YU7BX5M

[Christinadobrzyn]

Screenshots of the console error was added in the OP. Following up with the team about this. https://expensify.slack.com/archives/C05LX9D6E07/p1734656322975919?thread_ts=1734476966.247799&cid=C05LX9D6E07

[Christinadobrzyn]

Reaching out to SWM to see if someone can investigate this. https://expensify.slack.com/archives/C04878MDF34/p1734716296599589

[Christinadobrzyn]

Asking callstack https://expensify.slack.com/archives/C03UK30EA1Z/p1734722664657639

[arosiclair]

This is related to https://github.com/Expensify/Expensify/issues/424142. The error is coming from our third party GTM script here. I didn't see this when we implemented initially but I'll try reproducing.

[arosiclair]

I reproduced in staging. There's a couple CSP errors we should address though I'm not sure if they're the root of this problem:

gtm.js?id=GTM-N4M3FLJZ:501 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-MDY2MDQ0MGQ3MD/MGQyMGEwMTIwZjAwMjYwYTIwZmQ='

...

Either the 'unsafe-inline' keyword, a hash ('sha256-KMUaZ90m3965NtgVdQEgBJ+vRuC6eApfiDK3GqExqs8='), or a nonce ('nonce-...') is required to enable inline execution.

Refused to frame 'https://td.doubleclick.net/' because it violates the following Content Security Policy directive: "frame-src 'self' 

[Christinadobrzyn]

Thanks for investigating @arosiclair! Let me know if you want me to add anyone to this GH.

Just a heads up that I'm going to be ooo until Dec 30th. I'm not going to assign this to a BZ teammate but if anything is urgent, please reach out to the team for a volunteer.

[arosiclair]

It looks the the GTM script we use injects more JS scripts that trigger the Refused to execute inline script. The proper way to fix this is to generate and inject a nonce on the script. We tried something like that in the past but it didn't work well so it was reverted (Slack convo).

I started another Cloudflare-Workers PR to implement nonce injection again but I'm having trouble running it in dev with this error:

--- 2024-12-26T20:39:22.407Z debug
*** Fatal uncaught kj::Exception: kj/compat/tls.c++:82: failed: OpenSSL error; message = error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE
stack: 10180f74f 1018117cf 1009b376f 1009b5a5b 1009bd817 1009c154f 1009bfd5f 1009b1517 102e97983 102e97c93 102e9667f 102e96403 1009a07c7 190d24273
---

--- 2024-12-26T20:39:22.409Z debug
Error in ProxyController: Could not connect to InspectorProxyWorker
 MiniflareCoreError [ERR_RUNTIME_FAILURE]: The Workers runtime failed to start. There is likely additional logging output above.
    at #assembleAndUpdateConfig (/Users/arosiclair/.npm/_npx/32026684e21afda6/node_modules/miniflare/dist/src/index.js:9985:13)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Mutex.runWith (/Users/arosiclair/.npm/_npx/32026684e21afda6/node_modules/miniflare/dist/src/index.js:3632:16) {
  code: 'ERR_RUNTIME_FAILURE',
  cause: undefined
}
---

[melvin-bot]

@arosiclair @Christinadobrzyn this issue was created 2 weeks ago. Are we close to a solution? Let's make sure we're treating this as a top priority. Don't hesitate to create a thread in #expensify-open-source to align faster in real time. Thanks!

[melvin-bot]

@arosiclair, @Christinadobrzyn Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

[arosiclair]

Alright I was able to fix the SSL error with sudo - sudo npx wrangler dev index.js --local. I also had to replace our .dev.vars with a new version to fix an error. This is almost looking good, but there still seems to be an issue with the nonce not getting propagated to the scripts that GTM injects.

It looks like this might be the answer: https://stackoverflow.com/a/66573603

[melvin-bot]

@arosiclair, @Christinadobrzyn Whoops! This issue is 2 days overdue. Let's get this updated quick!

[arosiclair]

It looks like this might be the answer: https://stackoverflow.com/a/66573603

I was mistaken - this is unrelated. I realized we need to use the nonce-aware version of the GTM script given here. I tried it in dev, but it still doesn't clear up the CSP issue even though I can verify the nonce is getting set correctly on the injected scripts.

At this point, I think this is an issue internal to the GTM script that we cannot fix. Somebody else running into the same issue a few years ago experienced the same here.

I think I'll still push changes to inject the nonces and then we can just hope that Google fixes the issue upstream eventually. At the moment, GTM event tracking still works despite these errors so we should be able to ignore them in the meantime.

[Christinadobrzyn]

looks like this PR is in prod - #54782

Are we working on another PR or should this be closed @arosiclair?

[arosiclair]

Oh yeah I still have this PR which is still WIP. I'll get back to that soon.

[Christinadobrzyn]

monitoring PR - https://github.com/Expensify/Cloudflare-Workers/pull/163

[arosiclair]

https://github.com/Expensify/Cloudflare-Workers/pull/163 is ready for a review and testing. Just need a deployer to do so. Asked here.

[arosiclair]

I had Rory review the PR. We agreed that we should fix the dev environment first so it's easier to test locally. That's gonna require a bit more time.

[arosiclair]

Dropping this to Monthly since this issue doesn't have any effects on the app beyond adding noise to the console.