From d198375fb27dacce05d85b4037ac96989aa26132 Mon Sep 17 00:00:00 2001 From: Alexander Pantiukhov Date: Mon, 29 Jun 2026 12:35:08 +0200 Subject: [PATCH 1/3] feat(replay): Default networkCaptureBodies to true for cross-platform parity Flip the default of `mobileReplayIntegration({ networkCaptureBodies })`\nfrom `false` to `true` so the React Native SDK matches the iOS and\nAndroid native SDKs out of the box.\n\nThe original opt-in default was conservative because body capture can\ncarry sensitive payloads, but the opt-in step is already covered by\n`networkDetailAllowUrls`: bodies are only recorded for URLs the user\nexplicitly lists there (empty by default). Splitting that into a\nseparate `networkCaptureBodies` flag duplicated the gate and put us\nout of step with the native defaults, which has been confusing for\nusers expecting bodies to flow once they allow-listed a URL.\n\nUsers who want to keep header-only capture for allow-listed URLs can\nset `networkCaptureBodies: false` explicitly.\n\nJSDoc updated to describe the new behaviour and the fact that the\nallow-list is the real opt-in. All existing tests still pass. --- CHANGELOG.md | 4 ++++ packages/core/src/js/replay/mobilereplay.ts | 18 +++++++++++------- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c15fbe004a..789cab2942 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,10 @@ Render-phase errors that reach the boundary are captured with route context (`route.name`, `route.path`, `route.params`), the in-flight navigation transaction is tagged as errored, and a breadcrumb is emitted. Concrete paths and params are gated behind `sendDefaultPii`. +### Changes + +- Default `mobileReplayIntegration({ networkCaptureBodies })` to `true`, matching the iOS and Android native SDK defaults. Bodies are still only recorded for URLs explicitly listed in `networkDetailAllowUrls` (empty by default); the previous opt-in step is now part of the allow-list, not a separate flag. Set `networkCaptureBodies: false` to keep header-only capture for allow-listed URLs. ([#XXXX](https://github.com/getsentry/sentry-react-native/pull/XXXX)) + ### Fixes - Apply `SENTRY_ENVIRONMENT`, `SENTRY_RELEASE` and `SENTRY_DIST` build-time overrides to the JS bundled options to match the native SDKs ([#6330](https://github.com/getsentry/sentry-react-native/pull/6330)) diff --git a/packages/core/src/js/replay/mobilereplay.ts b/packages/core/src/js/replay/mobilereplay.ts index 2d465523b6..27e048e4de 100644 --- a/packages/core/src/js/replay/mobilereplay.ts +++ b/packages/core/src/js/replay/mobilereplay.ts @@ -181,14 +181,18 @@ export interface MobileReplayOptions { /** * If request and response bodies should be captured for URLs matched by - * `networkDetailAllowUrls`. When `false` (the default), only headers are - * captured for allow-listed URLs — opt in explicitly to record bodies, since - * they can contain sensitive payloads. + * `networkDetailAllowUrls`. Enabled by default — set to `false` to capture + * only headers for allow-listed URLs when you cannot tolerate body payloads + * being recorded. * * Bodies are truncated at ~150 KB; truncated payloads include a - * `MAX_BODY_SIZE_EXCEEDED` warning. + * `MAX_BODY_SIZE_EXCEEDED` warning. URLs only enter the capture path after + * being explicitly allow-listed via `networkDetailAllowUrls`, so the + * default-on behaviour does not implicitly capture every request body. * - * @default false + * Aligned with the iOS and Android native SDK defaults. + * + * @default true */ networkCaptureBodies?: boolean; @@ -222,7 +226,7 @@ const defaultOptions: MobileReplayOptions = { screenshotStrategy: 'pixelCopy', networkDetailAllowUrls: [], networkDetailDenyUrls: [], - networkCaptureBodies: false, + networkCaptureBodies: true, networkRequestHeaders: [], networkResponseHeaders: [], }; @@ -388,7 +392,7 @@ export const mobileReplayIntegration = (initOptions: MobileReplayOptions = defau const networkOptions: ResolvedNetworkOptions = { allowUrls: options.networkDetailAllowUrls ?? [], denyUrls: options.networkDetailDenyUrls ?? [], - captureBodies: options.networkCaptureBodies ?? false, + captureBodies: options.networkCaptureBodies ?? true, requestHeaders: options.networkRequestHeaders ?? [], responseHeaders: options.networkResponseHeaders ?? [], }; From 5e8cd9dc29497646c0f688d3b6122114db334724 Mon Sep 17 00:00:00 2001 From: Alexander Pantiukhov Date: Mon, 29 Jun 2026 12:35:56 +0200 Subject: [PATCH 2/3] chore(changelog): Fix PR number in entry --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 789cab2942..991eab3d5f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,7 +26,7 @@ ### Changes -- Default `mobileReplayIntegration({ networkCaptureBodies })` to `true`, matching the iOS and Android native SDK defaults. Bodies are still only recorded for URLs explicitly listed in `networkDetailAllowUrls` (empty by default); the previous opt-in step is now part of the allow-list, not a separate flag. Set `networkCaptureBodies: false` to keep header-only capture for allow-listed URLs. ([#XXXX](https://github.com/getsentry/sentry-react-native/pull/XXXX)) +- Default `mobileReplayIntegration({ networkCaptureBodies })` to `true`, matching the iOS and Android native SDK defaults. Bodies are still only recorded for URLs explicitly listed in `networkDetailAllowUrls` (empty by default); the previous opt-in step is now part of the allow-list, not a separate flag. Set `networkCaptureBodies: false` to keep header-only capture for allow-listed URLs. ([#6372](https://github.com/getsentry/sentry-react-native/pull/6372)) ### Fixes From 94860f13e0f78a6dbd2fedc1a09b65accafd9c27 Mon Sep 17 00:00:00 2001 From: Alexander Pantiukhov Date: Mon, 29 Jun 2026 15:44:43 +0200 Subject: [PATCH 3/3] chore(changelog): Move entry to Unreleased and shorten Co-Authored-By: Claude Opus 4.7 --- CHANGELOG.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b3e27bebe0..30a559fa2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,10 @@ }); ``` +### Changes + +- Default `mobileReplayIntegration({ networkCaptureBodies })` to `true`, matching the iOS and Android native SDK defaults ([#6372](https://github.com/getsentry/sentry-react-native/pull/6372)) + ### Fixes - The Sentry Babel transformer no longer injects `@sentry/babel-plugin-component-annotate` unless `annotateReactComponents` is explicitly enabled ([#6347](https://github.com/getsentry/sentry-react-native/pull/6347)) @@ -57,10 +61,6 @@ Render-phase errors that reach the boundary are captured with route context (`route.name`, `route.path`, `route.params`), the in-flight navigation transaction is tagged as errored, and a breadcrumb is emitted. Concrete paths and params are gated behind `sendDefaultPii`. -### Changes - -- Default `mobileReplayIntegration({ networkCaptureBodies })` to `true`, matching the iOS and Android native SDK defaults. Bodies are still only recorded for URLs explicitly listed in `networkDetailAllowUrls` (empty by default); the previous opt-in step is now part of the allow-list, not a separate flag. Set `networkCaptureBodies: false` to keep header-only capture for allow-listed URLs. ([#6372](https://github.com/getsentry/sentry-react-native/pull/6372)) - ### Fixes - Fix fatal `NSInvalidArgumentException` crash in `RNSentryReplayBreadcrumbConverter` when a touch breadcrumb path contains a non-dictionary element ([#6346](https://github.com/getsentry/sentry-react-native/pull/6346))