Document CSP wildcard depth gotcha for ingest.us.sentry.io

[sentry-junior]

Summary

The Sentry JavaScript SDK (and by extension framework SDKs like @sentry/angular) silently fails to send telemetry in environments with strict CSP enforcement — most notably iOS WKWebView — when the connect-src directive uses *.sentry.io instead of a more specific pattern that covers the four-label ingestion domain.

Background

Sentry's data ingestion endpoint follows the pattern https://o<orgId>.ingest.us.sentry.io (and ingest.de.sentry.io for EU orgs). This is a four-level deep domain. The CSP * wildcard only covers a single label and does not cross dots, so:

• *.sentry.io ✅ matches app.sentry.io, browser.sentry.io
• *.sentry.io ❌ does not match o123.ingest.us.sentry.io

Desktop browsers are lenient and often let requests through anyway. iOS WKWebView enforces CSP strictly, causing the SDK to appear uninitialized with no errors surfaced to the developer.

Fix: Add explicit patterns to connect-src:

Content-Security-Policy: connect-src 'self' https://*.ingest.sentry.io https://*.ingest.us.sentry.io https://*.ingest.de.sentry.io;

Scope

• Add a note to SDK installation / configuration docs (likely the JavaScript / Angular / Capacitor getting-started pages and any existing CSP guidance) explaining the wildcard depth limitation.
• Call out that iOS WKWebView and other strict CSP environments will silently drop telemetry if the ingest subdomain is not explicitly allowed.
• Consider adding this to a dedicated troubleshooting section for mobile WebView setups.

Dependencies

Related existing docs surface: includes/platforms/security-policy-reporting/content.mdx

Action taken on behalf of Wassim Melakhessou.

[linear-code]

DOCS-2604