While this looks useful, if `Foo` is an part of my application state I'm not too crazy about shipping that over to Facebook if I wanted to use this feature.
To clarify: the error message contains a link which goes to our GitHub pages site -- nothing is sent to any server automatically. You can always edit the URL if there's sensitive data in it for some reason.
You can also review the full source of our site or run it locally if you care to; it's all in the repo.
It still means I'm sending potentially sensitive data (idk, passwords) to a server I don't own. There is no way I can trust github on this. Would there be a less-than-hacky way then regexing the URL? a way to let it redirect to a self-hosted version of the github page for example? Shouldn't be too hard to add and would solve OPs concerns.
The `reactProdInvariant` function [1] does the URL encoding job and the decoder on our documentation page is just a React component [2]. I totally understand your concern and for now you can simply edit the `reactProdInvariant` function to fit your needs.
> It still means I'm sending potentially sensitive data (idk, passwords) to a server I don't own
Not sure if you missed spicyj's point or arguing that you yourself might not notice the sensitive data in the url.
If you - as the developer - need to inquire more about the error (say after reproducing it on production), you copy and paste the error url and remove the sensitive data before going to said url.
What about using the hash part of the URL (#) instead of the query part (?)? That doesn't get sent to the server. Although you still have to trust that a script on the page isn't reading that information and shuttling it off somewhere else--but then, you're already trusting Facebook code anyway.
Suggestion: you can provide some UI on the site to copy paste the error message instead of linking.
Even copying the error can be made a bit easier. Most (atleast FF and Chrome) consoles have the `copy` function which directly copies the passed string to clipboard. So when the error occurs, you can store it in an object in the global scope and the developer can just copy it with `copy(React.runtimeErrors.<errid>)` which is all autocompleted by the console anyways.
Now surely copy pasting secret stuff on another site is not very secure, but atleast it is not gonna be leaked to everyone in between the network from the url.
While this looks useful, if `Foo` is an part of my application state I'm not too crazy about shipping that over to Facebook if I wanted to use this feature.