loke.dev

4 Critical Production Events That Your Try-Catch Blocks Are Blind To

Native browser interventions and CSP violations don't trigger standard error listeners—here is how to finally stop flying blind in production using the Reporting API.

· 4 min read

I’ve spent an embarrassing amount of time staring at a perfectly green Sentry dashboard while users in our Slack channel complained that the "app is just broken." It’s a special kind of gaslighting when your logs insist everything is fine, but the reality on the ground is a total meltdown.

We’ve been conditioned to think that wrapping things in a try-catch block or hooking into window.onerror covers our bases. But modern browsers have a whole category of "silent killers"—events that happen entirely outside the reach of your JavaScript’s error-handling logic. If the browser decides to kill your script because it's consuming too much memory, or blocks a resource due to a security policy, your standard error listeners won't even blink.

To see these, you need the Reporting API. It’s the "black box" flight recorder for the web that catches what your application code literally cannot see.

1. CSP Violations: The "Security says No" failures

Content Security Policy (CSP) is great for preventing XSS, but it’s also a great way to accidentally break your own site. If you deploy a new policy that accidentally blocks a critical third-party script or an inline style, the browser just stops the request.

Because this is a security violation enforced by the browser's engine, your try-catch won't catch it. The script just... doesn't run.

// This won't catch a CSP violation
try {
  loadCriticalPaymentScript(); 
} catch (e) {
  // Silence...
}

// But the Reporting API will:
const observer = new ReportingObserver((reports, observer) => {
  for (const report of reports) {
    if (report.type === 'csp-violation') {
      console.warn('CSP Violation:', report.body.blockedURL);
      // Now you can send this to your logging endpoint
    }
  }
}, { buffered: true });

observer.observe();

2. Browser Interventions: When the browser loses patience

Chrome and Safari aren't just passive document viewers anymore; they’re aggressive resource managers. If your app tries to play an auto-playing video on a slow 3G connection, or if a script is hogging the CPU for too long, the browser might simply "intervene" and kill the process.

These Interventions are invisible to standard monitoring. You won't see a TypeError in your logs. You'll just see a user who bounced because your main feature never initialized.

const observer = new ReportingObserver((reports) => {
  const interventions = reports.filter(r => r.type === 'intervention');
  interventions.forEach(report => {
    sendToAnalytics({
      id: report.body.id,
      message: report.body.message, // e.g., "Auto-play blocked"
    });
  });
}, { buffered: true });

observer.observe();

3. Deprecations: The "Time Bomb" warnings

We’ve all been there: a browser update rolls out, and suddenly a legacy API you rely on is gone. Usually, browsers show a warning in the console for months before they actually pull the plug. The problem? You don't see your users' consoles.

By the time the try-catch finally catches the is not a function error, the feature is already dead in production. The Reporting API lets you catch these deprecation reports while the feature is still working, giving you a lead time to fix it before the actual breakage happens.

const observer = new ReportingObserver((reports) => {
  for (const report of reports) {
    if (report.type === 'deprecation') {
      console.log(`Plan for the future: ${report.body.id} is going away on ${report.body.anticipatedRemoval}`);
    }
  }
}, { buffered: true });

observer.observe();

4. Crash Reports: The "Tab of Death"

Sometimes the whole process just gives up. If the browser tab crashes (the "Aw, Snap!" screen), no amount of JavaScript on that page can log the error. The code execution environment is effectively dead.

To catch these, you can't rely on the ReportingObserver (which lives in the JS thread). Instead, you have to use the Reporting-Endpoints HTTP header. This tells the browser: "If this page crashes, please POST a report to this URL once the browser is back on its feet."

In your server headers:

Reporting-Endpoints: endpoint-1="https://your-api.com/reports"

And to link it to specific events:

Report-To: {"group":"default","max_age":10886400,"endpoints":[{"url":"https://your-api.com/reports"}]}

Getting it into production (The Gotchas)

Setting up a ReportingObserver in your frontend code is the easiest way to start, but keep a few things in mind:

1. Browser Support: It’s great in Chromium-based browsers (Chrome, Edge, Opera). Safari and Firefox are still catching up on some report types, so treat this as progressive enhancement.
2. The `buffered: true` flag: Always use this. It tells the observer to grab reports that happened *before* the observer was initialized (like those that happened during the initial page load).
3. Don't DIY the backend: If you start using the HTTP header approach, the browser will send a lot of JSON. Use an existing intake service or a dedicated worker to filter the noise.

Using the Reporting API is the difference between guessing why your conversion rate dropped and actually seeing the browser tell you: *"Hey, I killed your checkout script because it took 10 seconds to load."*

Stop flying blind. Your try-catch blocks are lonely and only see half the story.