feat!: Only collect ip addresses with sendDefaultPii: true (#15084)

Ref:
#5347 (comment)

dev-packages/browser-integration-tests/suites/feedback/attachTo/test.ts

@@ -57,9 +57,6 @@ sentryTest('should capture feedback with custom button', async ({ getLocalTestUr
     event_id: expect.stringMatching(/\w{32}/),
     environment: 'production',
     tags: {},
-    user: {
-      ip_address: '{{auto}}',
-    },
     sdk: {
       integrations: expect.arrayContaining(['Feedback']),
       version: expect.any(String),

dev-packages/browser-integration-tests/suites/feedback/captureFeedback/test.ts

@@ -69,9 +69,6 @@ sentryTest('should capture feedback', async ({ getLocalTestUrl, page }) => {
         'User-Agent': expect.stringContaining(''),
       },
     },
-    user: {
-      ip_address: '{{auto}}',
-    },
     platform: 'javascript',
   });
 });

dev-packages/browser-integration-tests/suites/feedback/captureFeedbackAndReplay/hasSampling/test.ts

@@ -103,9 +103,6 @@ sentryTest('should capture feedback', async ({ forceFlushReplay, getLocalTestUrl
         'User-Agent': expect.stringContaining(''),
       },
     },
-    user: {
-      ip_address: '{{auto}}',
-    },
     platform: 'javascript',
   });
 });

dev-packages/browser-integration-tests/suites/feedback/captureFeedbackCsp/test.ts

@@ -69,9 +69,6 @@ sentryTest('should capture feedback', async ({ getLocalTestUrl, page }) => {
         'User-Agent': expect.stringContaining(''),
       },
     },
-    user: {
-      ip_address: '{{auto}}',
-    },
     platform: 'javascript',
   });
   const cspViolation = await page.evaluate<boolean>('window.__CSPVIOLATION__');

dev-packages/browser-integration-tests/suites/manual-client/browser-context/test.ts

@@ -34,9 +34,6 @@ sentryTest('allows to setup a client manually & capture exceptions', async ({ ge
         'User-Agent': expect.any(String),
       }),
     },
-    user: {
-      ip_address: '{{auto}}',
-    },
     timestamp: expect.any(Number),
     environment: 'local',
     release: '0.0.1',

dev-packages/browser-integration-tests/suites/public-api/sendDefaultPii/errors/subject.js

@@ -0,0 +1 @@
+Sentry.captureException(new Error('woot'));

dev-packages/browser-integration-tests/suites/public-api/sendDefaultPii/errors/test.ts

@@ -0,0 +1,11 @@
+import { expect } from '@playwright/test';
+import type { Event } from '@sentry/core';
+
+import { sentryTest } from '../../../../utils/fixtures';
+import { getFirstSentryEnvelopeRequest } from '../../../../utils/helpers';
+
+sentryTest('should default user to {{auto}} on errors when sendDefaultPii: true', async ({ getLocalTestUrl, page }) => {
+  const url = await getLocalTestUrl({ testDir: __dirname });
+  const eventData = await getFirstSentryEnvelopeRequest<Event>(page, url);
+  expect(eventData.user?.ip_address).toBe('{{auto}}');
+});

dev-packages/browser-integration-tests/suites/public-api/sendDefaultPii/init.js

@@ -0,0 +1,9 @@
+import * as Sentry from '@sentry/browser';
+
+window.Sentry = Sentry;
+
+Sentry.init({
+  dsn: 'https://[email protected]/1337',
+  tracesSampleRate: 1,
+  sendDefaultPii: true,
+});

dev-packages/browser-integration-tests/suites/public-api/sendDefaultPii/performance/subject.js

@@ -0,0 +1 @@
+Sentry.startSpan({ name: 'woot' }, () => undefined);

dev-packages/browser-integration-tests/suites/public-api/sendDefaultPii/performance/test.ts

@@ -0,0 +1,21 @@
+import { expect } from '@playwright/test';
+import { sentryTest } from '../../../../utils/fixtures';
+import {
+  envelopeRequestParser,
+  shouldSkipTracingTest,
+  waitForTransactionRequestOnUrl,
+} from '../../../../utils/helpers';
+
+sentryTest(
+  'should default user to {{auto}} on transactions when sendDefaultPii: true',
+  async ({ getLocalTestUrl, page }) => {
+    if (shouldSkipTracingTest()) {
+      sentryTest.skip();
+    }
+
+    const url = await getLocalTestUrl({ testDir: __dirname });
+    const req = await waitForTransactionRequestOnUrl(page, url);
+    const transaction = envelopeRequestParser(req);
+    expect(transaction.user?.ip_address).toBe('{{auto}}');
+  },
+);

dev-packages/browser-integration-tests/suites/public-api/sendDefaultPii/replay/init.js

@@ -0,0 +1,20 @@
+import * as Sentry from '@sentry/browser';
+
+window.Sentry = Sentry;
+
+window.Replay = Sentry.replayIntegration({
+  flushMinDelay: 200,
+  flushMaxDelay: 200,
+  minReplayDuration: 0,
+  useCompression: false,
+  blockAllMedia: false,
+  unmask: ['.sentry-unmask, [data-sentry-unmask]'],
+});
+
+Sentry.init({
+  dsn: 'https://[email protected]/1337',
+  replaysSessionSampleRate: 1.0,
+  replaysOnErrorSampleRate: 0.0,
+  integrations: [window.Replay],
+  sendDefaultPii: true,
+});

dev-packages/browser-integration-tests/suites/public-api/sendDefaultPii/replay/test.ts

@@ -0,0 +1,24 @@
+import { expect } from '@playwright/test';
+
+import { sentryTest } from '../../../../utils/fixtures';
+import { getReplayEvent, shouldSkipReplayTest, waitForReplayRequest } from '../../../../utils/replayHelpers';
+
+sentryTest(
+  'replay recording should contain default performance spans',
+  async ({ getLocalTestUrl, page, browserName }) => {
+    // We only test this against the NPM package and replay bundles
+    // and only on chromium as most performance entries are only available in chromium
+    if (shouldSkipReplayTest() || browserName !== 'chromium') {
+      sentryTest.skip();
+    }
+
+    const reqPromise0 = waitForReplayRequest(page, 0);
+
+    const url = await getLocalTestUrl({ testDir: __dirname });
+
+    await page.goto(url);
+    const replayEvent = getReplayEvent(await reqPromise0);
+
+    expect(replayEvent.user?.ip_address).toBe('{{auto}}');
+  },
+);

dev-packages/browser-integration-tests/suites/public-api/sendDefaultPii/sessions/init.js

@@ -0,0 +1,9 @@
+import * as Sentry from '@sentry/browser';
+
+window.Sentry = Sentry;
+
+Sentry.init({
+  dsn: 'https://[email protected]/1337',
+  sendDefaultPii: true,
+  release: '1.0',
+});

dev-packages/browser-integration-tests/suites/public-api/sendDefaultPii/sessions/test.ts

@@ -0,0 +1,13 @@
+import { expect } from '@playwright/test';
+
+import { sentryTest } from '../../../../utils/fixtures';
+import { getFirstSentryEnvelopeRequest } from '../../../../utils/helpers';
+
+sentryTest(
+  'should default user to {{auto}} on sessions when sendDefaultPii: true',
+  async ({ getLocalTestUrl, page }) => {
+    const url = await getLocalTestUrl({ testDir: __dirname });
+    const session = await getFirstSentryEnvelopeRequest(page, url);
+    expect((session as any).attrs.ip_address).toBe('{{auto}}');
+  },
+);

dev-packages/browser-integration-tests/suites/public-api/setUser/init.js

@@ -4,4 +4,5 @@ window.Sentry = Sentry;
 
 Sentry.init({
   dsn: 'https://[email protected]/1337',
+  sendDefaultPii: true,
 });

dev-packages/browser-integration-tests/suites/public-api/setUser/unset_user/test.ts

@@ -10,6 +10,8 @@ sentryTest('should unset user', async ({ getLocalTestUrl, page }) => {
   const eventData = await getMultipleSentryEnvelopeRequests<Event>(page, 3, { url });
 
   expect(eventData[0].message).toBe('no_user');
+
+  // because sendDefaultPii: true
   expect(eventData[0].user).toEqual({ ip_address: '{{auto}}' });
 
   expect(eventData[1].message).toBe('user');
@@ -20,6 +22,8 @@ sentryTest('should unset user', async ({ getLocalTestUrl, page }) => {
   });
 
   expect(eventData[2].message).toBe('unset_user');
+
+  // because sendDefaultPii: true
   expect(eventData[2].user).toEqual({
     ip_address: '{{auto}}',
   });

dev-packages/browser-integration-tests/suites/public-api/startSpan/standalone-mixed-transaction/test.ts

@@ -103,9 +103,6 @@ sentryTest(
         headers: expect.any(Object),
         url: expect.any(String),
       },
-      user: {
-        ip_address: '{{auto}}',
-      },
       sdk: expect.any(Object),
       spans: [
         {

dev-packages/browser-integration-tests/suites/public-api/withScope/init.js

@@ -4,4 +4,5 @@ window.Sentry = Sentry;
 
 Sentry.init({
   dsn: 'https://[email protected]/1337',
+  sendDefaultPii: true,
 });

dev-packages/browser-integration-tests/suites/public-api/withScope/nested_scopes/test.ts

@@ -10,22 +10,36 @@ sentryTest('should allow nested scoping', async ({ getLocalTestUrl, page }) => {
   const eventData = await getMultipleSentryEnvelopeRequests<Event>(page, 5, { url });
 
   expect(eventData[0].message).toBe('root_before');
-  expect(eventData[0].user).toEqual({ id: 'qux', ip_address: '{{auto}}' });
+  expect(eventData[0].user).toEqual({
+    id: 'qux',
+    ip_address: '{{auto}}', // because sendDefaultPii: true
+  });
   expect(eventData[0].tags).toBeUndefined();
 
   expect(eventData[1].message).toBe('outer_before');
-  expect(eventData[1].user).toEqual({ id: 'qux', ip_address: '{{auto}}' });
+  expect(eventData[1].user).toEqual({
+    id: 'qux',
+    ip_address: '{{auto}}', // because sendDefaultPii: true
+  });
   expect(eventData[1].tags).toMatchObject({ foo: false });
 
   expect(eventData[2].message).toBe('inner');
-  expect(eventData[2].user).toEqual({ ip_address: '{{auto}}' });
+  expect(eventData[2].user).toEqual({
+    ip_address: '{{auto}}', // because sendDefaultPii: true
+  });
   expect(eventData[2].tags).toMatchObject({ foo: false, bar: 10 });
 
   expect(eventData[3].message).toBe('outer_after');
-  expect(eventData[3].user).toEqual({ id: 'baz', ip_address: '{{auto}}' });
+  expect(eventData[3].user).toEqual({
+    id: 'baz',
+    ip_address: '{{auto}}', // because sendDefaultPii: true
+  });
   expect(eventData[3].tags).toMatchObject({ foo: false });
 
   expect(eventData[4].message).toBe('root_after');
-  expect(eventData[4].user).toEqual({ id: 'qux', ip_address: '{{auto}}' });
+  expect(eventData[4].user).toEqual({
+    id: 'qux',
+    ip_address: '{{auto}}', // because sendDefaultPii: true
+  });
   expect(eventData[4].tags).toBeUndefined();
 });

dev-packages/browser-integration-tests/suites/replay/captureReplay/test.ts

@@ -55,9 +55,6 @@ sentryTest('should capture replays (@sentry/browser export)', async ({ getLocalT
         'User-Agent': expect.stringContaining(''),
       },
     },
-    user: {
-      ip_address: '{{auto}}',
-    },
     platform: 'javascript',
   });
 
@@ -96,9 +93,6 @@ sentryTest('should capture replays (@sentry/browser export)', async ({ getLocalT
         'User-Agent': expect.stringContaining(''),
       },
     },
-    user: {
-      ip_address: '{{auto}}',
-    },
     platform: 'javascript',
   });
 });

dev-packages/browser-integration-tests/suites/replay/captureReplayFromReplayPackage/test.ts

@@ -55,9 +55,6 @@ sentryTest('should capture replays (@sentry-internal/replay export)', async ({ g
         'User-Agent': expect.stringContaining(''),
       },
     },
-    user: {
-      ip_address: '{{auto}}',
-    },
     platform: 'javascript',
   });
 
@@ -96,9 +93,6 @@ sentryTest('should capture replays (@sentry-internal/replay export)', async ({ g
         'User-Agent': expect.stringContaining(''),
       },
     },
-    user: {
-      ip_address: '{{auto}}',
-    },
     platform: 'javascript',
   });
 });

dev-packages/browser-integration-tests/suites/tracing/metrics/web-vitals-cls-standalone-spans/test.ts

@@ -69,7 +69,6 @@ sentryTest('captures a "GOOD" CLS vital with its source as a standalone span', a
       transaction: expect.stringContaining('index.html'),
       'user_agent.original': expect.stringContaining('Chrome'),
       'sentry.pageload.span_id': expect.stringMatching(/[a-f0-9]{16}/),
-      'client.address': '{{auto}}',
     },
     description: expect.stringContaining('body > div#content > p'),
     exclusive_time: 0,
@@ -138,7 +137,6 @@ sentryTest('captures a "MEH" CLS vital with its source as a standalone span', as
       transaction: expect.stringContaining('index.html'),
       'user_agent.original': expect.stringContaining('Chrome'),
       'sentry.pageload.span_id': expect.stringMatching(/[a-f0-9]{16}/),
-      'client.address': '{{auto}}',
     },
     description: expect.stringContaining('body > div#content > p'),
     exclusive_time: 0,
@@ -205,7 +203,6 @@ sentryTest('captures a "POOR" CLS vital with its source as a standalone span.',
       transaction: expect.stringContaining('index.html'),
       'user_agent.original': expect.stringContaining('Chrome'),
       'sentry.pageload.span_id': expect.stringMatching(/[a-f0-9]{16}/),
-      'client.address': '{{auto}}',
     },
     description: expect.stringContaining('body > div#content > p'),
     exclusive_time: 0,
@@ -273,7 +270,6 @@ sentryTest(
         transaction: expect.stringContaining('index.html'),
         'user_agent.original': expect.stringContaining('Chrome'),
         'sentry.pageload.span_id': expect.stringMatching(/[a-f0-9]{16}/),
-        'client.address': '{{auto}}',
       },
       description: 'Layout shift',
       exclusive_time: 0,

dev-packages/browser-integration-tests/suites/tracing/metrics/web-vitals-inp-late/test.ts

@@ -71,7 +71,6 @@ sentryTest('should capture an INP click event span after pageload', async ({ bro
       'sentry.source': 'custom',
       transaction: 'test-url',
       'user_agent.original': expect.stringContaining('Chrome'),
-      'client.address': '{{auto}}',
     },
     measurements: {
       inp: {

dev-packages/browser-integration-tests/suites/tracing/metrics/web-vitals-inp-parametrized-late/test.ts

@@ -74,7 +74,6 @@ sentryTest(
         'sentry.source': 'custom',
         transaction: 'test-route',
         'user_agent.original': expect.stringContaining('Chrome'),
-        'client.address': '{{auto}}',
       },
       measurements: {
         inp: {

dev-packages/browser-integration-tests/suites/tracing/metrics/web-vitals-inp-parametrized/test.ts

@@ -70,7 +70,6 @@ sentryTest(
         'sentry.origin': 'auto.http.browser.inp',
         transaction: 'test-route',
         'user_agent.original': expect.stringContaining('Chrome'),
-        'client.address': '{{auto}}',
       },
       measurements: {
         inp: {

dev-packages/browser-integration-tests/suites/tracing/metrics/web-vitals-inp/test.ts

@@ -69,7 +69,6 @@ sentryTest('should capture an INP click event span during pageload', async ({ br
       'sentry.origin': 'auto.http.browser.inp',
       transaction: 'test-url',
       'user_agent.original': expect.stringContaining('Chrome'),
-      'client.address': '{{auto}}',
     },
     measurements: {
       inp: {

dev-packages/browser-integration-tests/utils/replayEventTemplates.ts

@@ -37,9 +37,6 @@ const DEFAULT_REPLAY_EVENT = {
       'User-Agent': expect.any(String),
     },
   },
-  user: {
-    ip_address: '{{auto}}',
-  },
   platform: 'javascript',
 };
 

dev-packages/e2e-tests/test-applications/react-17/src/index.tsx

@@ -38,6 +38,7 @@ Sentry.init({
   replaysOnErrorSampleRate: 0.0,
 
   tunnel: 'http://localhost:3031',
+  sendDefaultPii: true,
 });
 
 const SentryRoutes = Sentry.withSentryReactRouterV6Routing(Routes);

dev-packages/e2e-tests/test-applications/react-router-6/src/index.tsx

@@ -40,6 +40,7 @@ Sentry.init({
   replaysOnErrorSampleRate: 0.0,
 
   tunnel: 'http://localhost:3031',
+  sendDefaultPii: true,
 });
 
 const SentryRoutes = Sentry.withSentryReactRouterV6Routing(Routes);

dev-packages/e2e-tests/test-applications/react-router-7-spa/src/main.tsx

@@ -39,6 +39,7 @@ Sentry.init({
   replaysSessionSampleRate: 1.0,
   replaysOnErrorSampleRate: 0.0,
   tunnel: 'http://localhost:3031',
+  sendDefaultPii: true,
 });
 
 const SentryRoutes = Sentry.withSentryReactRouterV7Routing(Routes);

docs/migration/v8-to-v9.md

@@ -108,6 +108,7 @@ Older Typescript versions _may_ still work, but we will not test them anymore an
 
 ### `@sentry/browser`
 
+- The SDK no longer instructs the Sentry backend to automatically infer IP addresses by default. This means that places where you previously saw IP addresses in Sentry may now be grouped to anonymous users. Set the `sendDefaultPii` option in `Sentry.init()` to true to instruct the Sentry backend to infer IP addresses.
 - The `captureUserFeedback` method has been removed. Use the `captureFeedback` method instead and update the `comments` field to `message`.
 
 ### `@sentry/nextjs`