feat(browser): Migrate sendDefaultPii to dataCollection in browser packages (#21097)

- `browser/src/client.ts`: Migrate to `dataCollection` for `infer_ip`
relay setting and `addAutoIpAddressToSession` listener
- `browser/src/integrations/httpclient.ts`: Split single
`sendDefaultPii` gate into granular `cookies`, `httpHeaders.request`,
`httpHeaders.response` checks with new collect behavior filtering.
Includes a backwards-compat guard so legacy `sendDefaultPii` users see
no behavioral change (deferred to v11).
- `browser-utils/src/metrics/utils.ts`: Migrate to `dataCollection` for
`client.address` span attribute

---
**Note on backwards compatibility:**

When `dataCollection` is not explicitly set by the user, the httpclient
integration falls back to the old `sendDefaultPii` boolean gate
(all-or-nothing). This avoids silently sending more data for existing
users. When `dataCollection` is explicitly set, the granular filtering
is applied.
(#21094)

closes #20929

Author: chargome

dev-packages/browser-integration-tests/suites/integrations/httpclient/fetch/withDataCollection/init.js

@@ -0,0 +1,14 @@
+import * as Sentry from '@sentry/browser';
+import { httpClientIntegration } from '@sentry/browser';
+
+window.Sentry = Sentry;
+
+Sentry.init({
+  dsn: 'https://public@dsn.ingest.sentry.io/1337',
+  integrations: [httpClientIntegration()],
+  tracesSampleRate: 1,
+  dataCollection: {
+    cookies: true,
+    httpHeaders: { request: true, response: true },
+  },
+});

dev-packages/browser-integration-tests/suites/integrations/httpclient/fetch/withDataCollection/subject.js

@@ -0,0 +1,9 @@
+fetch('http://sentry-test.io/foo', {
+  method: 'GET',
+  credentials: 'include',
+  headers: {
+    Accept: 'application/json',
+    'Content-Type': 'application/json',
+    Cache: 'no-cache',
+  },
+});

dev-packages/browser-integration-tests/suites/integrations/httpclient/fetch/withDataCollection/test.ts

@@ -0,0 +1,51 @@
+import { expect } from '@playwright/test';
+import type { Event } from '@sentry/core';
+import { sentryTest } from '../../../../../utils/fixtures';
+import { envelopeRequestParser, waitForErrorRequest } from '../../../../../utils/helpers';
+
+sentryTest(
+  'should capture request and response headers when using dataCollection options',
+  async ({ getLocalTestUrl, page }) => {
+    const url = await getLocalTestUrl({ testDir: __dirname });
+
+    await page.route('**/foo', route => {
+      return route.fulfill({
+        status: 500,
+        body: JSON.stringify({
+          error: {
+            message: 'Internal Server Error',
+          },
+        }),
+        headers: {
+          'Content-Type': 'text/html',
+        },
+      });
+    });
+
+    const req = await Promise.all([waitForErrorRequest(page), page.goto(url)]).then(([r]) => r);
+    const eventData = envelopeRequestParser<Event>(req);
+
+    expect(eventData.exception?.values).toHaveLength(1);
+
+    expect(eventData).toMatchObject({
+      message: 'HTTP Client Error with status code: 500',
+      request: {
+        url: 'http://sentry-test.io/foo',
+        method: 'GET',
+        headers: {
+          accept: 'application/json',
+          cache: 'no-cache',
+          'content-type': 'application/json',
+        },
+      },
+      contexts: {
+        response: {
+          status_code: 500,
+          headers: {
+            'content-type': 'text/html',
+          },
+        },
+      },
+    });
+  },
+);

dev-packages/browser-integration-tests/suites/integrations/httpclient/fetch/withDisabledDataCollection/init.js

@@ -0,0 +1,14 @@
+import * as Sentry from '@sentry/browser';
+import { httpClientIntegration } from '@sentry/browser';
+
+window.Sentry = Sentry;
+
+Sentry.init({
+  dsn: 'https://public@dsn.ingest.sentry.io/1337',
+  integrations: [httpClientIntegration()],
+  tracesSampleRate: 1,
+  dataCollection: {
+    cookies: false,
+    httpHeaders: { request: false, response: false },
+  },
+});

dev-packages/browser-integration-tests/suites/integrations/httpclient/fetch/withDisabledDataCollection/subject.js

@@ -0,0 +1,9 @@
+fetch('http://sentry-test.io/foo', {
+  method: 'GET',
+  credentials: 'include',
+  headers: {
+    Accept: 'application/json',
+    'Content-Type': 'application/json',
+    Cache: 'no-cache',
+  },
+});

dev-packages/browser-integration-tests/suites/integrations/httpclient/fetch/withDisabledDataCollection/test.ts

@@ -0,0 +1,45 @@
+import { expect } from '@playwright/test';
+import type { Event } from '@sentry/core';
+import { sentryTest } from '../../../../../utils/fixtures';
+import { envelopeRequestParser, waitForErrorRequest } from '../../../../../utils/helpers';
+
+sentryTest(
+  'should not capture headers or cookies when dataCollection disables them',
+  async ({ getLocalTestUrl, page }) => {
+    const url = await getLocalTestUrl({ testDir: __dirname });
+
+    await page.route('**/foo', route => {
+      return route.fulfill({
+        status: 500,
+        body: JSON.stringify({
+          error: {
+            message: 'Internal Server Error',
+          },
+        }),
+        headers: {
+          'Content-Type': 'text/html',
+        },
+      });
+    });
+
+    const req = await Promise.all([waitForErrorRequest(page), page.goto(url)]).then(([r]) => r);
+    const eventData = envelopeRequestParser<Event>(req);
+
+    expect(eventData.exception?.values).toHaveLength(1);
+    expect(eventData.message).toBe('HTTP Client Error with status code: 500');
+
+    // Request URL and method are always present
+    expect(eventData.request?.url).toBe('http://sentry-test.io/foo');
+    expect(eventData.request?.method).toBe('GET');
+
+    // Request headers set in subject.js should not be captured
+    expect(eventData.request?.headers?.accept).toBeUndefined();
+    expect(eventData.request?.headers?.cache).toBeUndefined();
+    expect(eventData.request?.headers?.['content-type']).toBeUndefined();
+    expect(eventData.request?.cookies).toBeUndefined();
+
+    // Response headers should not be captured
+    expect(eventData.contexts?.response?.headers?.['content-type']).toBeUndefined();
+    expect(eventData.contexts?.response?.cookies).toBeUndefined();
+  },
+);

dev-packages/browser-integration-tests/suites/integrations/httpclient/fetch/withHeadersOnlyDataCollection/init.js

@@ -0,0 +1,14 @@
+import * as Sentry from '@sentry/browser';
+import { httpClientIntegration } from '@sentry/browser';
+
+window.Sentry = Sentry;
+
+Sentry.init({
+  dsn: 'https://public@dsn.ingest.sentry.io/1337',
+  integrations: [httpClientIntegration()],
+  tracesSampleRate: 1,
+  dataCollection: {
+    cookies: false,
+    httpHeaders: { request: true, response: true },
+  },
+});

dev-packages/browser-integration-tests/suites/integrations/httpclient/fetch/withHeadersOnlyDataCollection/subject.js

@@ -0,0 +1,9 @@
+fetch('http://sentry-test.io/foo', {
+  method: 'GET',
+  credentials: 'include',
+  headers: {
+    Accept: 'application/json',
+    'Content-Type': 'application/json',
+    Cache: 'no-cache',
+  },
+});

dev-packages/browser-integration-tests/suites/integrations/httpclient/fetch/withHeadersOnlyDataCollection/test.ts

@@ -0,0 +1,45 @@
+import { expect } from '@playwright/test';
+import type { Event } from '@sentry/core';
+import { sentryTest } from '../../../../../utils/fixtures';
+import { envelopeRequestParser, waitForErrorRequest } from '../../../../../utils/helpers';
+
+sentryTest(
+  'should capture headers but not cookies when cookies are disabled in dataCollection',
+  async ({ getLocalTestUrl, page }) => {
+    const url = await getLocalTestUrl({ testDir: __dirname });
+
+    await page.route('**/foo', route => {
+      return route.fulfill({
+        status: 500,
+        body: JSON.stringify({
+          error: {
+            message: 'Internal Server Error',
+          },
+        }),
+        headers: {
+          'Content-Type': 'text/html',
+        },
+      });
+    });
+
+    const req = await Promise.all([waitForErrorRequest(page), page.goto(url)]).then(([r]) => r);
+    const eventData = envelopeRequestParser<Event>(req);
+
+    expect(eventData.exception?.values).toHaveLength(1);
+
+    // Headers should be present
+    expect(eventData.request?.headers).toMatchObject({
+      accept: 'application/json',
+      cache: 'no-cache',
+      'content-type': 'application/json',
+    });
+
+    expect(eventData.contexts?.response?.headers).toMatchObject({
+      'content-type': 'text/html',
+    });
+
+    // Cookies should not be present
+    expect(eventData.request?.cookies).toBeUndefined();
+    expect(eventData.contexts?.response?.cookies).toBeUndefined();
+  },
+);

dev-packages/browser-integration-tests/suites/integrations/httpclient/fetch/withSensitiveHeaders/subject.js

@@ -0,0 +1,11 @@
+fetch('http://sentry-test.io/foo', {
+  method: 'GET',
+  credentials: 'include',
+  headers: {
+    Accept: 'application/json',
+    Authorization: 'Bearer super-secret-token-123',
+    'Content-Type': 'application/json',
+    'X-API-Key': 'my-api-key-456',
+    'X-Custom-Header': 'safe-value',
+  },
+});