sentry-react-native icon indicating copy to clipboard operation
sentry-react-native copied to clipboard
verified publisher icon getsentry

Allowlist for navigation route params

Open philipphofmann opened this issue 2 years ago • 3 comments

Description

With https://github.com/getsentry/sentry-react-native/pull/3487 shipped in 5.12.2 the SDK stopped sending navigation route params for auto-generated transactions because they could contain PII or other sensitive data. Instead of dropping all parameters, we could define an allow list and/or guard sending params with sendDefaultPii. Anyways, even if sendDefaultPii is on, we must drop parameters such as username and password.

Related docs PR https://github.com/getsentry/sentry-docs/pull/8767 and Relay PR to scrub PII from transaction data https://github.com/getsentry/relay/pull/2899.

philipphofmann avatar Dec 22 '23 12:12 philipphofmann

For us, it'd be nice if you could just turn the 'include all params' feature back on rather than having to maintain a specific allow list - we never put anything sensitive in our nav params and the extra context can be invaluable. I suppose if the allow list supports regexps/patterns so we could easily say 'include everything' it'd be fine... 🤔

liamjones avatar Dec 22 '23 14:12 liamjones

Related RFC: https://github.com/getsentry/rfcs/blob/main/text/0062-controlling-pii-and-credentials-in-sd-ks.md

kahest avatar Jan 12 '24 10:01 kahest

Browse JS context, thank you @Lms24

Default browser routing instrumentation does not include query params, but Vue routing integration does add them to the spans data bag.

httpClientIntegration adds a raw URL to the event request via httpContextIntegration

From my side, the most user-friendly way would be to add allowList without sendDefaultPii, with no default values.

krystofwoldrich avatar Mar 15 '24 12:03 krystofwoldrich