Console Log Instrumentation breaks on foreign objects

[mitsuhiko]

Currently our console.log and friends patchers assume that the call of obj.toString() is safe. That's demonstrably not the case if the objects logged are from an insecure foreign window (SecurityError Blocked a frame with origin "blah" from accessing a cross-origin frame.).

Example where we do this:

https://github.com/getsentry/raven-js/blob/b532909585d6ead92c612c0acfaee86010e5acd3/src/console.js#L14

Should probably become something like this:

args.map((obj) => {
  try {
    return String(obj);
  } catch (err) {
    return '[object cannot be stringified]';
  }
}).join(' ');

[mitsuhiko]

Also further notes: this is likely to affect more parts. We should setup a general policy of being super careful about doing assumptions about objects we deal with. We had similar problems where objects passing the react-native bridge end up being frozen and the code did not deal with this well.

Maybe it makes sense to add some helpers for potentially foreign objects and a naming convention to make it clear when objects might be tamper proof.

[kamilogorek]

Released as 3.22.2