Summary

There have been questions on CSP this summer and support shared the self hosting option/workaround to several customers which has been useful.

Desired Behavior

Let's put this solution into our github repo for reference.

Possible Solution

csp-v2-host-install-browser-agent (1).pdf

Summary

Desired Behavior

Possible Solution

Additional context

Description

0 is the perfect CLS score and needs to be included in our calculations (e.g. 75th percentile). Currently the agent only records a CLS value when the browser provides one (when content actually shifts). When there is no shift, we do not report anything, and the cumulativeLayoutShift attribute is not added to the PageViewTiming events.

We cannot simply update our queries to default to 0 because that would include events from browsers that do not support CLS. We could filter our queries to those browsers, but that makes for complicated queries, and we also want to make it easy for our customers to query CLS values.

Therefore, the agent should detect if the browser supports CLS. And if it does, it should report 0 by default.

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

This pertains to the agent (aggregator) script that the loader is adding to the page dynamically. To provide SRI, we should generate an integrity hash, and include it in an "integrity" attribute of the script tag.

This work would include:

minor change to the agent (adding the integrity attribute)

update the build process to generate the integrity hash and include it in the agent

From Marino Alvarez: I have a customer reach out to me with CSP concerns. Created an internal ticket with the details and also a Feature Request. Our docs mention to reach out to support to discuss other options but there aren't any other options that support can rely to our customers (should we change that doc?).

Summary

Provide support for monitoring Web Workers.

Desired Behavior

Collect at least the following:

• Error reporting
• External calls
• Custom tracers

Description

When the initial agent script (loader) executes after the load event, it will never load the second part of the agent. It will also continue buffering data indefinitely.

There is a failsafe mechanism to stop collecting data when the second part of the agent does not load within 30 seconds. But this mechanism is setup when the window load event fires. Therefore, if the event never fires, data will continue to be collected in a buffer causing the web page to eventually run out of memory.

Expected Behavior

The agent should detect if the window load event has already occurred, and either initiate the second script download or abort.

Background

CLS captures how much the page shifts and how often. There are use cases, especially for single page applications, where the page can be open for a very long time which results in a score that is too high. Google therefore has capped that to account for the maximum layout shift window aka capturing the most frustrating burst of layout shift on the page.

What will we do

This effort is to match the new standard for our CLS reporting.

Customer & business value

This is an iterating of work for capture more data/better signal. It is also work we need to do to be on top of latest key metrics for RUM monitoring.

AWS would like to partner with our browser agent team to help define RUM OTel

The scope of this work in May will be limited to conversations with AWS to work toward a scope of this project.

Related Koan Key Result: https://newrelic.koan.co/team/f5bc77b8-f32c-40c3-a912-32f1a4ae473d/goals/f/goals/e29c7226-fa04-4d54-bc59-83fa99c1d526?inviteModal=false&view=nested&modal=&status=active&columns=leads%2CdueDate%2Cparent%2Cmetrics%2Cconfidence%2CcloseOutDetails&rosterModal=false

Related Row in Commits Spreadsheet: None.

Problem

Customers would like all Ajax Requests available to query in Insights. The confusion lies when just a subset of ajax requests are captured as event data, the rest are not-so-easy-to-query aggregate metric data.

Ajax calls are currently captured as events (AjaxRequest) _ only _when the call happens as part of a browser interaction that is captured. Since out of the box we capture only interactions that are classified as route changes, many ajax calls do not get recorded as events.

Ajax requests that are stored as event data are the starting point for Distributed Tracing, so by not representing all requests in the system, we lose some visibility.

What we need to do

We need to capture all AJAX requests in a way that customers can facet and filter by AJAX and not missing AJAX requests when using DT

The goal of this effort is to consolidate all AJAX requests into one data collection type, that is queryable via Insights and a seamless experience for our customers.

Proposed Solutions

All ajax requests as events (which come with storage concerns)

Ajax requests as dimensional metrics, which likely requires some rework for DT? This is likely the better candidate.

BROWAGENT-50

Related Operational Links

• Koan Key Result (FY22 June)

Description

The NR agent continues to record Largest Contentful Paint after the page changes visibility. This is a different from the WebVitals library, which stops recording when the page is hidden (e.g. by switching tab).
https://github.com/GoogleChrome/web-vitals/blob/main/src/getLCP.ts#L68

In order to capture the same values as the Google official library, we should change this behavior.

Effort: Small

Running npm run test on Windows errors with message:

'tools' is not recognized as an internal or external command.

Even when using node at the beginning of the command does not seem to run tests.

• small effort

The following snippet can be used as a repro. The interaction is captured the first time it is run, but not on subsequent times.

document.addEventListener('click', run, false)

function run () {
var url = '/jsonp?cb=foo'
var el = document.createElement('script')
el.src = url
window.document.body.appendChild(el)
}

function foo (data) {
window.location.hash = Math.random()
}

This was reported by a user
https://twitter.com/simonhearne/status/977200179236483072
https://discuss.newrelic.com/t/do-not-clear-the-resource-timing-buffer/54771

This affects session traces. The solution proposed by the user is to either stop collecting resources when the buffer becomes full, or increase the buffer.

One possible solution is to switch to using the observer API. It is not supported by older browsers, but probably vast majority at this point, so it might be sufficient.

Another possibility is to make this configurable, so that the customer using the NR agent can decide how long sessions traces they want to collect.

Summary

When monitoring some of our pages using Calibre (which essentially runs Lighthouse in a lab) we can see nr-loader-spa sometimes blocking > 5s of main thread execution.

We are including the browser agent on our page with the following HTML:

<script type="text/javascript">
(function () {
window.NREUM\|\|(NREUM={});
NREUM.init={distributed_tracing:{enabled: true,cors_use_newrelic_header: true,cors_use_tracecontext_headers:true,allowed_origins:[]},privacy:{cookies_enabled:true}};
NREUM.loader_config={accountID:"OUR_ACCOUNT_ID",trustKey:"OUR_ACCOUNT_ID",agentID:"OUR_APPLICATION_ID"};
NREUM.info={licenseKey:"OUR_LICENSE_KEY",applicationID:"OUR_APPLICATION_ID",agent:"https://OUR_CDN_DOMAIN/nr-spa.1210.js"};
}());
</script>
<script src="https://OUR_CDN_DOMAIN/nr-loader-spa.1210.js"></script>

To be fair this is running on a particularly slow page, elsewhere we only see a blocking time of 145ms.

Desired Behavior

Ideally we want as little blocking time as possible, or perhaps some insight into why this might be taking so long in this case.

Possible Solution

We've started using the style above as documented in this project's README because our apps are single page apps and we can't include the snippet via server-side monitoring and we found that the snippets provided by the old REST API seemed out of date.

Potentially we could change our script that generates the above HTML to instead inline nr-spa.1210.js, though in our trace it doesn't seem like loading the script is the issue.

I'm not sure if it would be workable to delay instantiation of the agent and simply collect data until there doesn't seem to be a lot of other activity.

Additional context

The Calibre trace is emulating desktop Chrome running over a cable connection; we have other tests using a similar profile that don't experience these long blocking times.

When the agent connects to our backend, the backend sets a cookie with a session ID. This is used to tie together page views (session attribute on PageView events). When the cookie cannot be created, the session value is different for every page view.

This keeps coming up in support tickets, and it basically prevents us from correctly recording sessions. If customers are using our session attribute to count unique sessions, this number is often incorrect.

This has become a higher severity with Safari 12, which by default blocks 3rd-party cookies.

This issue also affects recent Firefox users where the default behavior is to block these cookies: https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-party-tracking-cookies-and-cryptomining-by-default/

involve browser wizards on this one - Aidan Cuffe made an augmentation. See which customers have tried it.

Getting served errors from third parties. They can't rule out that we did not throw the error.

Messaging around that we observed the error and did not throw the error.

Effort: Medium

Summary

Currently the agent limits the number of PageAction events collected to 60 per harvest (every 30 seconds). This is often not enough. We would like to increase the number to meet our customers' needs.

Desired Behavior

Customers are able to collect all their PageAction events.

Possible Solution

Start by doubling the current limit, measure the impact and decide on next steps.

Summary

Desired Behavior

Possible Solution

Additional context

Repolinter Report

🤖This issue was automatically generated by repolinter-action, developed by the Open Source and Developer Advocacy team at New Relic. This issue will be automatically updated or closed when changes are pushed. If you have any problems with this tool, please feel free to open a GitHub issue or give us a ping in #help-opensource.

This Repolinter run generated the following results:

• Passed
  • ✅ license-file-exists
  • ✅ readme-file-exists
  • ✅ readme-starts-with-community-plus-header
  • ✅ readme-contains-link-to-security-policy
  • ✅ readme-contains-discuss-topic
  • ✅ code-of-conduct-should-not-exist-here
  • ✅ third-party-notices-file-exists

Passed #

Description

I've tried using the built files to host the SPA agent locally with a configuration like the following:

<script type="text/javascript">
  window.NREUM||(NREUM={});
  NREUM.init = {
    distributed_tracing: {
      enabled: true,
      cors_use_newrelic_header: true,
      cors_use_tracecontext_headers: true,
      allowed_origins: [/* array of strings of origins, e.g. 'https://example.com', 'https://mydomain' */]
    },
    privacy: {
      cookies_enabled: true
    }
  };
  NREUM.info = {
    licenseKey: "/* my license key */",
    applicationID: /* my application id */,
    agent: "https://MY_CDN/nr-spa.js"
  };
</script>
<script src="https://MY_CDN/nr-loader-spa.js"></script>

It appears that most of the standard browser monitoring works, but distributed tracing does not.

Steps to Reproduce

1. clone this project
2. run npm run build
3. upload the generated nr-spa.js and nr-spa-loader.js to a CDN, web server, etc.
4. initialise the agent to use distributed tracing with a set of allowed domains that are also configured to support distributed tracing headers
5. in a browser app using the generated scripts make XHR requests which should be included in distributed traces

Expected Behavior

• AJAX requests are made with tracestate, traceparent and newrelic headers
• requests appear in Distributed Tracing

Relevant Logs / Console output

Your Environment

• Chome 91.0.4472.101
• OS X 11.4

Additional context

Opera is no longer a supported browser in SauceLabs (source). While it was supported, we experienced issues with it that lead us to explicitly exclude it from certain tests in the agent (search for .exclude('opera@<=12') in the agent repo for examples), these are unnecessary now, those and any other references to opera should be cleaned up and it should be documented somewhere than Opera may not be an officially supported browser.

This work includes reviewing AWS's proposal for a data model for RUM metrics.

Related Operational Links

• Koan Key Result ( FY22 June)

This feature will be available in Chrome 91https://developer.chrome.com/blog/enabling-shared-array-buffer/#cross-origin-isolation

This is related to CORPhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)

We are planning to test when Chrome 91 is available. Chrome 91 should come out at the end of May 2021, beta should be available at the end of April.

Context in this thread: https://newrelic.slack.com/archives/G019T80B1EJ/p1614288779011800

Summary

Currently we record pageHide PageViewTiming event for the first time a page is hidden. The original intent was to record an event when the user hides the page without leaving, e.g. switching to a different tab or window.

We do not record this event when the first time the page becomes hidden is when it is unloading. We could argue that this is covered by the windowUnload event. However, we use the pageHide event to query CLS values, and since that query can use only one type of the PVT event (to not include multiple events per page view), some pages are completely excluded from our aggregate calculations.

Desired Behavior

Therefore, this is a proposal for recording pageHide event when the page page is unloading - if and only if the pageHide event has not been already recorded. We can make argument that this makes sense since the visibilitychange event fires on windowUnload.

Additional context

The secondary implications of this change is that the pageHide event will change meaning a little. Users will no longer be able to ask how often users switch tabs, or compare windowUnload to pageHide. However, we do not know if customers query for this information, and it is not the primary use case for these events. If it turns out that customers want this, then we could decorate the pageHide PVT events with secondary attribute when they happen during unload.

Description

The Remove Label github action is now failing with the error below. This is new behavior.

Run andymckay/labeler@master
TypeError: Cannot read property 'pull_request' of undefined
    at getIssueNumber (/home/runner/work/_actions/andymckay/labeler/master/label.js:32:59)
    at label (/home/runner/work/_actions/andymckay/labeler/master/label.js:50:21)
    at Object.<anonymous> (/home/runner/work/_actions/andymckay/labeler/master/label.js:99:1)
    at Module._compile (internal/modules/cjs/loader.js:959:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:995:10)
    at Module.load (internal/modules/cjs/loader.js:815:32)
    at Function.Module._load (internal/modules/cjs/loader.js:727:14)
    at Function.Module.runMain (internal/modules/cjs/loader.js:1047:10)
    at internal/main/run_main_module.js:17:11

Steps to Reproduce

Add the safe to test label to a PR. Push a new commit to the PR, which will trigger this workflow. Note that the safe to test label has not been removed.

Expected Behavior

The safe to test label should be removed when a new commit is pushed to a PR.

When sending beacon (unload) requests using the agent, there is no limit in place for the amount of data added to the body of that request.

According to this post, most browsers (at least at the time) implemented a 64k limit on the maximum size of data allowed to be sent in a given beacon (Edge & Firefox) or navigation context (Chrome): https://github.com/w3c/beacon/issues/38This issue came up in a GTSE ticket with a similar behavior in Safari for iOS. An unload session trace harvest exceeded 64k in length and failed.

Answer question: Is this still an issue (github issue from 2016) How often this happens? How close to this limit? Size of messages consumer sees from the agent.

check how large our request is and how much space is available.

Effort: Medium, open questions

Summary

New Relic Browser collect lots of information about URLs (page urls, ajax-request urls, etc.), and sometimes these can contain information deemed sensitive (either by the authorities or internal company security). Currently there is no way actively mask or replace the segments of these URLs.

Desired Behavior

Ideally, the browser agent API would be extended with functions to replace all URLs with specific patterns, eg. nreum.replaceURL('regex-pattern', replacement). These pattern-replacement pairs would have to be checked for all the URLs being reported to New Relic (including URLs for page-views, browser-interactions, ajax-requests and session-traces).

Possible Solution (field solution)

We created a field solution for this, where we extended the compiled agent and manually added the patterns to the loader.js. The agent.js would then call a specific function before storing the url, and the function would check for patterns and replace where matched are found. I have attached both loader and agent (unminified).
In the loader.js you can find the code at the bottom of the file (line 2392). There are 2 cleaner-functions (used in the agent.js) + an array of regex-patterns and -replace entries.
agent+loader.zip

Additional comments

Although the field solution works, it isn't ideal. Upgrades would have to be extended, source-files changed, etc. A productised solution would be useful for any customer needing to mask or even group their URLs in a custom manner. The agent API would solve the inconvenience of having to re-implement after each agent upgrade.

MMF

#89

Summary

Update documentation for CLS capture methods

Desired Behavior

Documentation should include:

• Explain how and why values are different from Google
  • Different Sample Set
  • Chrome/Lighthouse have different lifecycles
• Update public docs in the current Web Vitals section

• Open sourcing optional work - development processes better
• Small customer tickets - not clearing resource cache, etc.
• Small bugs
• Look over GTSEs and see if it could have been deflected if we had troubleshooting docs, available

Koan Link: https://newrelic.koan.co/team/f5bc77b8-f32c-40c3-a912-32f1a4ae473d/goals/f/goals/fe1fa213-8bf7-45c4-9f6a-1d58d777fd24?view=nested&modal=&status=active&columns=leads%2CdueDate%2Cparent%2Cmetrics%2Cconfidence%2CcloseOutDetails&rosterModal=false

Related Row in Commits Spreadsheet: None.

We are currently capturing the ID of the element. Not all elements will have IDs, and for images it would make sense to capture the URL instead. This would be useful for customers to identify exactly which element (image) resulted in the LCP value to be captured.

https://wicg.github.io/largest-contentful-paint/#sec-largest-contentful-paint-interface

In addition to the URL, we should also consider capturing the type of element (e.g. image, text, video) and class name (for elements that can be identified by class rather than URL or ID).

Feedback from Joel Newman

"If adding a new attribute isn’t prohibitive due to attribute limits or storage costs, I would encourage making the ID and URL data separate things. They’re in very different formats, and would be used in different ways, and using one instead of the other will cause confusion and unintended difficulties in querying downstream.

I think it would be worth exploring more verbose messages than we typically use for situations in which data for one or the other isn’t available. For instance, if the LCP element is not an external resource, we won’t be able to provide a URL for it, but rather than leaving the URL attribute blank, we could instead give it a value of “Inline” or something of that sort. Similarly, when there’s no HTML ID, we could revert to another value (such as class if it’s available) or give it a value of “not set”. This would help circumvent a lot of confusion on the customer’s side, trying to figure out why the agent is not capturing data, and probably help us have fewer support tickets with customers thinking the agent is broken.

This sort of context is especially important for something like LCP because the element it points to won’t be consistent across every page view, which makes it difficult to reproduce the exact behavior from a specific page view for troubleshooting purposes. "

Summary

In order to make better decisions about which features to implement and bugs to fix, it would be useful to be able to collect internal metrics from the agent. This would be useful to find out how the agent works internally in the wild, what data it sees etc.

Desired Behavior

The agent provides an API to collect a metric. This data would be collected by the agent.

Additional context

Examples of when this would be useful

• #71 (Is this piece of code in the agent ever run?)
• #75 (Does the agent every send data that is larger than a given limit?)
• #78 (How often do we see stack traces modified by a 3rd-party that we cannot normalize?)

When web page is hidden (e.g. not active tab), the paint timing events will not fire until the page becomes visible. This makes sense from technical perspective (no paint actually happens when page is hidden), but it affects performance metrics as paint timing values can be very high.

The easiest way to solve this would be to exclude values that are collected on a page that was hidden when it was loading. There is an open discussion around this on W3C -

Discussion around this happened here: w3c/paint-timing#40

and summarized here: https://docs.google.com/document/d/1A0u26wVip78yxlNrJdNKBQj3qdUrbWljY_NQgaIKab4/edit

Page Visibility APIhttps://developer.mozilla.org/en-US/docs/Web/API/Page_Visibility_API

The Problem

Customers are not seeing all of their Fetch calls.

Why Now

We are focusing on efforts on health of the agent and robust instrumentation. There have been increased support tickets and FRs around missing Fetch calls.

Appetite

2 engineer x 2.5 weeks = 5 engineering weeks

What will we do

SPA captures XHR and Fetch as events but only if they are part of route changes. We will now support all Fetch calls, sending them as metrics

Related Operational Links

• Koan Key Result ( FY22 June )
• Commits Sheet ( FY22 June)

Summary

Desired Behavior

Possible Solution

Additional context

The Problem

Customers are not seeing their full URLs when on Chrome 88 and 89 and on Safari. URLs instead are rolling up into the route domain or ‘/’. This happens when using the value from the referrer header. Note: this impacts PageView events and not browser interaction events.

Why Now

We have a workaround behind a feature flag that send the value instead via a query string. 66% percent of traffic is coming from Chrome. 90% of that traffic is using Chrome 88 or Chrome 99.

Appetite

1 engineer x 2 weeks = 2 engineering weeks

What We will do

We’ll either need to make the feature-flagged behavior default, or pass through new configuration to auto-injected agent.

Success Metric

Boolean - customers using Chrome 88 and Chrome 89 can see their full urls

Related Koan Key Result: https://newrelic.koan.co/team/f5bc77b8-f32c-40c3-a912-32f1a4ae473d/goals/f/goals/df725e16-56cf-4e28-a543-0b82d3fa630f?inviteModal=false&view=nested&modal=&status=active&columns=leads%2CdueDate%2Cparent%2Cmetrics%2Cconfidence%2CcloseOutDetails&rosterModal=false

Related Row in Commits Spreadsheet: None.

Opera is no

If time ever comes up to work on JS Errors or removal of legacy code, there are some comments not suitable for public GitHub that identify a portion of the stack trace parsing code built exclusively to support old Opera versions. The work would involve not parsing stack traces for versions of Opera older than 9 and allow us to delete old code.

See comments in this commit: https://source.datanerd.us/browser/browser_agent/blob/903edda05371cd7b253668fd73a680a009cc6acc/feature/err/aggregate/compute-stack-trace.js#L264-L266

https://source.datanerd.us/browser/browser_agent/blob/903edda05371cd7b253668fd73a680a009cc6acc/feature/err/aggregate/compute-stack-trace.js#L322-L327

We are getting many javascript nullpointer exceptions logged in our newrelic dashboard. The Stacktrace points to a specific line in the minified newrelic browserscript:

e.params.status=t.status

This line of the minified version comes from here https://github.com/newrelic/newrelic-browser-agent/blob/main/feature/xhr/instrument/index.js#L278

It seems that params can be undefined at that point. This error is raised only for a small amount of users but for them it happens very frequently.

It happened on Chrome 90 and Edge 90 so far with version nr-spa-1208

Stacktrace

Summary

Since zone.js rewrites the stack trace, New Relic agent doesn't recognize the stack trace in some errors when zone.js is using.
Can we support zone.js style stack trace to show all stack traces?

Desired Behavior

[NOTE]: Show all stack traces

note: angular/angular#31588

Possible Solution

Additional context

This issue was previously discussed in GTSE-9182 and the customer and New Relic engineering decided to submit this feature request.

MMF

#89

Summary

It is useful to know if switching to use the webvitals library has any benefits, and the level of effort it would take to get there.

Desired Outcome

Document outlining the research and the recommendation of action

Things to identify

• Differences between webvitals lib and our current implementation
• Advantages and disadvantages
• Strategy to stay up to date with library updates
• Compatibilities with using the lib (typescript?)

Chrome 92 will force certain interactions to have a Cross-Origin-Resource-Policy: cross-origin header present. Currently our CDN and Ingest do not return this header. We need to investigate the impact this will have and whether we need to take action. Chrome 92 is set for July.

FR for Demplatform team

Summary

The current mechanism of using the NewRelic browser agent is to embed the code snippet - shown in the "Configure the agent" section in the README.md file - directly to the website.

An additional option might be to allow website developers to integrate the browser agent by using npm packages. This mechanism has several advantages, e.g. developers can decide when to update and test a new version of the browser agent. Furthermore, type-safety (when using TypeScript) could be enabled.

For the NewRelic node client, this feature is already implemented. See https://github.com/newrelic/node-newrelic/releases and https://www.npmjs.com/package/newrelic

Desired Behavior

I am able to install the NewRelic browser agent with npm.

Possible Solution

Standard npm publish / GitHub release mechanism. See https://github.com/newrelic/node-newrelic/releases and https://www.npmjs.com/package/newrelic

Additional context

none

Summary

NR Browser Agent could (and should) track CSP errors out of the box. This would likely be a relatively simple implementation and could provide insight on malicious frontend attacks / vulnerabilities.

Desired Behavior

Implementing the NR Browser Agent should capture and forward CSP violation errors to .noticeError() automatically.

Possible Solution

Subscribe to the DOM Event securitypolicyviolation and have the callback issue a newrelic.noticeError(...) with relevant info.

Additional context

Customers could gain insight on malicious activity and vulnerabilities.

##use cases/questions
Shows up as an error in console and not in NR1
How does it show up in the UI given it happens outside of a javascript error
Would you want to track it in a RUM environment
How often CSP blocked something: example: tried to run agent extension and it gets blocked by CSP

• metrics for everything
• spans for some things - SPA? others?
• sampling? - what are the most valuable spans for browser? configuration?

Summary

The agent is currently calling navigator.userAgent in a few places. This causes a warning in Chrome DevTools (Issues tab) starting with version 92. Chrome is gradually reducing the information available in the legacy User Agent API and moving to client hints.

The Client Hints API to use is navigator.userAgentData.

Desired Behavior

Agent does not cause Chrome to display a warning message about the User Agent API in DevTools Issues.

Possible Solution

Use navigator.userAgentData (when available) instead of navigator.userAgent.

This customer had a deploy that changes their NREUM.loader_config and NREUM.info into strings, which caused the Browser agent to not load or report data properly. We expect these values to be passed as objects, but it took weeks to figure out that they had been wrapped with quotes.

If the Browser agent could throw an error when these values are not passed as an object, troubleshooting this issue would be a lot quicker.

Refer to example from this ticket: #77

Summary

Desired Behavior

Possible Solution

Additional context

MMF

#89

Summary

Update the agent to implement the approach outlined in Issue 104

Desired Behavior

• Agent should capture CLS according to new specs as decided on in MMF Doc and Issue 104
• Agent should have new unit and functional tests to validate new capture method
• Engineer should validate previous/existing tests still work

Summary

Currently, the touchstart EventListener is not using the passive flag therefore the Lighthouse passive event listener audit fails. This was already brought up in the NewRelic Forum in November 2020 but the issues still seem to persist.

Possible Solution

Add the {passive: true} flag to the touchstart EventListener

Additional context

Google Lighthouse flags event listeners that may delay page scrolling: web.dev documentation

Effort: Small

Currently, all browser-based tests in the agent are run using SauceLabs. This requires a private authentication key and means PRs from external contributors require a manual review by a member of the team to ensure the code is safe to run in an environment where these SauceLabs authentication keys could be accessed.

Instead of running cross-browser tests using SauceLabs, we could instead host a Selenium WebDriver in the same way to run these tests against headless versions of the browsers within the GitHub workflow itself.

This may require some change to the protocol we use to communicate between the test and the WebDriver. Some options for hosting the selenium server are below.

Use WebDriver IO: https://developers.google.com/web/updates/2017/04/headless-chrome#drivers

Host Selenium Hub as a service in the GitHub Action (example here)

Value: currently we have to add a label to run tests, this would allow tests to run automatically on the PR. This would have an additional advantage of contributor PRs auto-running tests

Medium Effort

Dependency: Before determining the size of work necessary to resolve this issue, we need to determine which versions of Chrome for iOS are incompatible with the XHR feature and which should be feature-gated.

Rebecca Note: We need to get estimations on total amount of traffic impacted.

There are still some context details on this ticket: https://docs.google.com/document/d/15Z3v_SGCFCqyW5Cib2ODdYHIaPyQLv-ZmU4uzr8e-RA/edit?usp=sharing

Update 7/7/2020: Because of the behavior of older versions of Chrome for iOS, the browser agent has not enabled XHR or Session Trace instrumentation in that browser. This means AjaxRequest and Span events will not be harvested for traffic from Chrome for iOS. It also means BrowserInteraction duration measurements will not include any network (XMLHttpRequest and Fetch) related duration. BrowserInteractions from Chrome for iOS will currently show NavigationTiming API related values, but no ajaxCount and little to no value for duration.

The work this ticket now represents is removing that override, instrumenting the latest version Chrome for iOS, confirming whether the data produced is valid and ticketing the necessary work to release a version of the agent which instruments SPA on Chrome for iOS for versions older than the tested working version. See comments below on how to locally inject and test the agent in Chrome on iOS.

We cannot see any BrowserInteraction events from iPhone X using Chrome 80. I have tried using emulation, and that reports using Safari. They have implemented the suggestion from the other ticket, https://newrelic.zendesk.com/agent/#/tickets/392985

Please see Zendesk Support tab for further comments and attachments.

other comments from Jira card:
Aubrey: Attaching another related behavior, currently creating custom interactions using the SPA API in Chrome for iOS causes 1000s of interactions with no timing data to be created, this should hopefully be resolved if/when SPA was properly enabled for this user agent.

Lindsy: Updated this ticket to include AJAX request events per previous ticket JS-5807: Chrome in iOS and iPad is not reporting XHRREJECTED

Notes form comments in that ticket:Ticket that triggered this inquiry:
https://newrelic.zendesk.com/agent/tickets/344795

Impact is significant since it's causing them to miss AJAX data on a retail site. They are open to implementing a workaround if one is available. I will ask Dublin support team to do a temperature check with this information.

Closing 5087 to work from this ticket for both issues as they are the same culprit.

Aubrey:
For whoever picks up this ticket to inject the agent and determine whether we can enable XHR and SPA for Chrome, this is the process I used to inject the agent on customer or local sites on iOS:

Proxy traffic between iOS and Charles to inspect network requests made by Chrome. Use. this tutorial to enable and trust certificate: https://benoitpasquier.com/charles-ssl-proxy-ios/

Use Charles' external proxy settings to forward traffic to agent in the middle. Replace the port in the screenshot with the port agent-in-the-middle exposes