feat(cloudflare): Migrate to dataCollection (#21237)

chargome · web-flow · commit 737f69fb653a · 2026-06-01T15:49:39.000+02:00
Migrates the Cloudflare SDK from `sendDefaultPii` to the new `dataCollection` spec, **without changing default behavior** (the breaking default flips are deferred to v11). - **`request.ts`**: Pass `client.getDataCollectionOptions()` to `httpHeadersToSpanAttributes` instead of the `sendDefaultPii` boolean. Header/cookie filtering is now driven by the resolved `dataCollection`. - **`sdk.ts`**: `requestDataIntegration` is configured from `dataCollection`, but cookies are kept **off by default** (Cloudflare's historical behavior) unless the user opts in via `sendDefaultPii` or `dataCollection.cookies`. Marked `TODO(v11)` to drop this gate and let cookies default on (denylist-filtered) per spec (#21260). - **`httpServer.ts`**: `maxRequestBodySize` continues to default to `'medium'` (bodies captured by default, matching the Node SDK and pre-migration behavior). Marked `TODO(v11)` to gate body capture on `dataCollection.httpBodies` (#21258). Fixes #20934
diff --git a/packages/cloudflare/src/integrations/httpServer.ts b/packages/cloudflare/src/integrations/httpServer.ts
@@ -85,6 +85,8 @@ export async function captureIncomingRequestBody(client: Client, request: Reques
     return;
   }
 
+  // TODO(v11): Gate incoming request body capture on `dataCollection.httpBodies` (capture only when
+  // `'incomingRequest'` is listed) instead of defaulting to `'medium'`.
   const maxRequestBodySize = integration.maxRequestBodySize;
 
   if (maxRequestBodySize === 'none') {
diff --git a/packages/cloudflare/src/request.ts b/packages/cloudflare/src/request.ts
@@ -74,7 +74,7 @@ export function wrapRequestHandler(
       attributes,
       httpHeadersToSpanAttributes(
         winterCGHeadersToDict(request.headers),
-        getClient()?.getOptions().sendDefaultPii ?? false,
+        getClient()?.getDataCollectionOptions() ?? false,
       ),
     );
 
diff --git a/packages/cloudflare/src/sdk.ts b/packages/cloudflare/src/sdk.ts
@@ -24,7 +24,10 @@ import { defaultStackParser } from './vendor/stacktrace';
 
 /** Get the default integrations for the Cloudflare SDK. */
 export function getDefaultIntegrations(options: CloudflareOptions): Integration[] {
-  const sendDefaultPii = options.sendDefaultPii ?? false;
+  // TODO(v11): Drop this transitional gating and let `requestDataIntegration` rely on the resolved
+  // `dataCollection` defaults directly. Until then, preserve the historical Cloudflare behavior of not
+  // attaching cookies unless the user explicitly opts in via `sendDefaultPii` or `dataCollection.cookies`.
+  const cookiesEnabled = options.sendDefaultPii || options.dataCollection?.cookies != null;
   return [
     // The Dedupe integration should not be used in workflows because we want to
     // capture all step failures, even if they are the same error.
@@ -38,8 +41,7 @@ export function getDefaultIntegrations(options: CloudflareOptions): Integration[
     fetchIntegration(),
     honoIntegration(),
     httpServerIntegration(),
-    // TODO(v11): the `include` object should be defined directly in the integration based on `sendDefaultPii`
-    requestDataIntegration(sendDefaultPii ? undefined : { include: { cookies: false } }),
+    requestDataIntegration(cookiesEnabled ? undefined : { include: { cookies: false } }),
     consoleIntegration(),
   ];
 }
diff --git a/packages/cloudflare/test/request.test.ts b/packages/cloudflare/test/request.test.ts
@@ -205,6 +205,9 @@ describe('withSentry', () => {
       expect(sentryEvent.contexts?.culture).toEqual({ timezone: 'UTC' });
     });
 
+    // TODO(v11): Body capture should be gated on `dataCollection.httpBodies` (only capture when
+    // `'incomingRequest'` is listed). Until then we keep the historical behavior of capturing
+    // incoming request bodies by default at `'medium'`, consistent with the Node SDK.
     test('captures request body with default integration (medium size)', async () => {
       let sentryEvent: Event = {};
       const context = createMockExecutionContext();
@@ -237,6 +240,82 @@ describe('withSentry', () => {
       );
     });
 
+    // TODO(v11): Cookies should be attached (subject to denylist filtering) by default. Until then we keep the
+    // historical Cloudflare behavior of not attaching cookies unless the user explicitly opts in.
+    test('does not capture cookies by default', async () => {
+      let sentryEvent: Event = {};
+
+      await wrapRequestHandler(
+        {
+          options: {
+            ...MOCK_OPTIONS,
+            beforeSend(event) {
+              sentryEvent = event;
+              return null;
+            },
+          },
+          request: new Request('https://example.com', { headers: { cookie: 'foo=bar' } }),
+          context: createMockExecutionContext(),
+        },
+        () => {
+          SentryCore.captureMessage('cookies');
+          return new Response('test');
+        },
+      );
+
+      expect(sentryEvent.request?.cookies).toBeUndefined();
+    });
+
+    test('captures cookies when dataCollection.cookies is enabled', async () => {
+      let sentryEvent: Event = {};
+
+      await wrapRequestHandler(
+        {
+          options: {
+            ...MOCK_OPTIONS,
+            dataCollection: { cookies: true },
+            beforeSend(event) {
+              sentryEvent = event;
+              return null;
+            },
+          },
+          request: new Request('https://example.com', { headers: { cookie: 'foo=bar' } }),
+          context: createMockExecutionContext(),
+        },
+        () => {
+          SentryCore.captureMessage('cookies');
+          return new Response('test');
+        },
+      );
+
+      expect(sentryEvent.request?.cookies).toEqual({ foo: 'bar' });
+    });
+
+    test('captures cookies when sendDefaultPii is enabled', async () => {
+      let sentryEvent: Event = {};
+
+      await wrapRequestHandler(
+        {
+          options: {
+            ...MOCK_OPTIONS,
+            sendDefaultPii: true,
+            beforeSend(event) {
+              sentryEvent = event;
+              return null;
+            },
+          },
+          request: new Request('https://example.com', { headers: { cookie: 'foo=bar' } }),
+          context: createMockExecutionContext(),
+        },
+        () => {
+          SentryCore.captureMessage('cookies');
+          return new Response('test');
+        },
+      );
+
+      expect(sentryEvent.request?.cookies).toEqual({ foo: 'bar' });
+    });
+
     test('does not capture request body for GET requests', async () => {
       let sentryEvent: Event = {};
       const context = createMockExecutionContext();

Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,8 @@ export async function captureIncomingRequestBody(client: Client, request: Reques`
`85`	`85`	`return;`
`86`	`86`	`}`
`87`	`87`
	`88`	+ // TODO(v11): Gate incoming request body capture on `dataCollection.httpBodies` (capture only when
	`89`	+ // `'incomingRequest'` is listed) instead of defaulting to `'medium'`.
`88`	`90`	`const maxRequestBodySize = integration.maxRequestBodySize;`
`89`	`91`
`90`	`92`	`if (maxRequestBodySize === 'none') {`