fix(core): Ensure isSentryRequest handles subdomains properly

[mydea]

This adjusts our check for internal Sentry requests to ensure we do not accidentally mark more complex subdomain URLs as sentry-internal.

How this could be mis-used:

1. Attacker discovers the victim application's Sentry DSN host from the client-side JavaScript (e.g., o123456.ingest.sentry.io).
2. Attacker registers a domain containing the DSN host as a substring (e.g., o123456.ingest.sentry.io.attacker.com).
3. Attacker exploits an existing XSS or client-side vulnerability to make the victim's browser send data exfiltration requests to https://o123456.ingest.sentry.io.attacker.com/steal?sentry_key=fake&data=stolen_session.
4. Because isSentryRequestUrl classifies this URL as a Sentry request (hostname substring matches and sentry_key= is present), the exfiltration requests are silently excluded from all Sentry monitoring — no HTTP error events, no session replay network logs, no fetch spans, and no OpenTelemetry traces.
5. The attacker's data exfiltration activity is invisible to the security team reviewing Sentry dashboards.

[github-actions]

size-limit report 📦

Path	Size	% Change	Change
@sentry/browser	26.13 kB	-	-
@sentry/browser - with treeshaking flags	24.6 kB	-	-
@sentry/browser (incl. Tracing)	44.07 kB	-	-
@sentry/browser (incl. Tracing + Span Streaming)	46.06 kB	-	-
@sentry/browser (incl. Tracing, Profiling)	49.02 kB	-	-
@sentry/browser (incl. Tracing, Replay)	83.29 kB	+0.04%	+27 B 🔺
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	72.79 kB	+0.04%	+22 B 🔺
@sentry/browser (incl. Tracing, Replay with Canvas)	87.97 kB	+0.03%	+26 B 🔺
@sentry/browser (incl. Tracing, Replay, Feedback)	100.64 kB	+0.04%	+31 B 🔺
@sentry/browser (incl. Feedback)	43.37 kB	-	-
@sentry/browser (incl. sendFeedback)	30.93 kB	-	-
@sentry/browser (incl. FeedbackAsync)	36.11 kB	-	-
@sentry/browser (incl. Metrics)	27.41 kB	-	-
@sentry/browser (incl. Logs)	27.56 kB	-	-
@sentry/browser (incl. Metrics & Logs)	28.24 kB	-	-
@sentry/react	27.86 kB	-	-
@sentry/react (incl. Tracing)	46.31 kB	-	-
@sentry/vue	31 kB	-	-
@sentry/vue (incl. Tracing)	45.91 kB	-	-
@sentry/svelte	26.15 kB	-	-
CDN Bundle	28.8 kB	-	-
CDN Bundle (incl. Tracing)	46.61 kB	-	-
CDN Bundle (incl. Logs, Metrics)	30.19 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics)	47.67 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics)	69.18 kB	+0.05%	+28 B 🔺
CDN Bundle (incl. Tracing, Replay)	83.7 kB	+0.03%	+25 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	84.74 kB	+0.04%	+26 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback)	89.53 kB	+0.03%	+25 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	90.59 kB	+0.03%	+25 B 🔺
CDN Bundle - uncompressed	84.45 kB	-	-
CDN Bundle (incl. Tracing) - uncompressed	139.45 kB	-	-
CDN Bundle (incl. Logs, Metrics) - uncompressed	88.59 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	142.86 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	212.21 kB	+0.03%	+47 B 🔺
CDN Bundle (incl. Tracing, Replay) - uncompressed	256.94 kB	+0.02%	+47 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	260.33 kB	+0.02%	+47 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	270.64 kB	+0.02%	+47 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	274.02 kB	+0.02%	+47 B 🔺
@sentry/nextjs (client)	48.8 kB	-	-
@sentry/sveltekit (client)	44.52 kB	-	-
@sentry/node-core	58.74 kB	+0.02%	+7 B 🔺
@sentry/node	169.84 kB	+0.01%	+9 B 🔺
@sentry/node - without tracing	97.57 kB	+0.01%	+4 B 🔺
@sentry/aws-serverless	114.31 kB	+0.01%	+6 B 🔺
@sentry/cloudflare (withSentry) - minified	163.31 kB	+0.06%	+91 B 🔺
@sentry/cloudflare (withSentry)	412.8 kB	+0.06%	+243 B 🔺

View base workflow run