feat: sanitize URLs + semantic conventions for header attributes #317
+2,407
−51
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds URL sanitization to redact credentials and sensitive query parameters per OpenTelemetry semantic conventions. Refactors request/response attribute handling to conditionally record and sanitize headers and bodies, and introduces helper functions for parsing and formatting headers. Includes comprehensive tests for sanitization and attribute formatting.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
… O11Y-833-add-header-span-attributes-in-web-js-instrumentation
ccschmitz-launchdarkly
changed the title
ccschmitz-launchdarkly
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
ntiner1
approved these changes
Dec 11, 2025
ntiner1
left a comment
ntiner1
left a comment
There was a problem hiding this comment.
Cursor comments seem real, 1 suggestion, otherwise looks good
🥇
sdk/highlight-run/src/client/listeners/network-listener/utils/network-sanitizer.ts
Show resolved
Hide resolved
sdk/highlight-run/src/client/listeners/network-listener/utils/network-sanitizer.ts
Show resolved
Hide resolved
… O11Y-833-add-header-span-attributes-in-web-js-instrumentation
sdk/highlight-run/src/client/listeners/network-listener/utils/network-sanitizer.ts
Dismissed
Show dismissed
Hide dismissed
sdk/highlight-run/src/client/listeners/network-listener/utils/network-sanitizer.ts
Show resolved
Hide resolved
ccschmitz-launchdarkly
deleted the
O11Y-833-add-header-span-attributes-in-web-js-instrumentation
branch
Merged
abelonogov-ld
added a commit
that referenced
this pull request
Dec 16, 2025
* main: chore: Fix existing RRwebGraphQLReplayLogExporterTest tests (#321) feat: sanitize URLs + semantic conventions for header attributes (#317) refactor: introduce granular ObservabilityOptions (#323) refactor: OY11-846 - Add Session Replay plugin (#313) # Conflicts: # sdk/@launchdarkly/observability-android/lib/src/test/kotlin/com/launchdarkly/observability/replay/RRwebGraphQLReplayLogExporterTest.kt
abelonogov-ld
added a commit
that referenced
this pull request
Dec 16, 2025
* main: feat: Limit accumulating canvas buffer (#322) chore: Fix existing RRwebGraphQLReplayLogExporterTest tests (#321) feat: sanitize URLs + semantic conventions for header attributes (#317) refactor: introduce granular ObservabilityOptions (#323) refactor: OY11-846 - Add Session Replay plugin (#313) chore: upgrade react-server-dom-webpack to 19.0.3 (#320) chore: release main (#319) feat: enhance Web Vitals telemetry with semantic attributes (#316) chore: release main (#318) fix: Android - Remove Disk Buffering (#315) chore: readme update with real examples (#314)
Vadman97
pushed a commit
that referenced
this pull request
Dec 18, 2025
🤖 I have created a release *beep* *boop* --- <details><summary>launchdarkly-observability-android: 0.20.0</summary> ## [0.20.0](launchdarkly-observability-android-0.19.1...launchdarkly-observability-android-0.20.0) (2025-12-18) ### Features * Android SR Identify support ([#330](#330)) ([a421812](a421812)) * Graphql client memory optimization ([#325](#325)) ([f199e2d](f199e2d)) * Gzip compression for Graphql request body ([#328](#328)) ([d862a15](d862a15)) * Limit accumulating canvas buffer ([#322](#322)) ([72f2592](72f2592)) </details> <details><summary>observability: 0.4.11</summary> ## [0.4.11](observability-0.4.10...observability-0.4.11) (2025-12-18) ### Dependencies * The following workspace dependencies were updated * dependencies * highlight.run bumped to 9.25.0 </details> <details><summary>session-replay: 0.4.11</summary> ## [0.4.11](session-replay-0.4.10...session-replay-0.4.11) (2025-12-18) ### Dependencies * The following workspace dependencies were updated * dependencies * highlight.run bumped to 9.25.0 </details> <details><summary>highlight.run: 9.25.0</summary> ## [9.25.0](highlight.run-9.24.0...highlight.run-9.25.0) (2025-12-18) ### Features * sanitize URLs + semantic conventions for header attributes ([#317](#317)) ([417b4b8](417b4b8)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). <!-- CURSOR_SUMMARY --> --- > [!NOTE] > Release Android SDK 0.20.0 with multiple performance/features, bump highlight.run to 9.25.0, and update web packages (@launchdarkly/observability, @launchdarkly/session-replay) to 0.4.11 consuming the new dependency. > > - **Releases**: > - `sdk/@launchdarkly/observability-android` → `0.20.0` > - Features: Android SR Identify support, GraphQL client memory optimizations, Gzip GraphQL request bodies, limit accumulating canvas buffer. > - `sdk/highlight-run` → `9.25.0` > - Features: URL sanitization + semantic conventions for header attributes. > - `sdk/@launchdarkly/observability` → `0.4.11` > - Dependency: `highlight.run` bumped to `9.25.0`. > - `sdk/@launchdarkly/session-replay` → `0.4.11` > - Dependency: `highlight.run` bumped to `9.25.0`. > - **Version metadata**: > - Updated versions in `.release-please-manifest.json`, `package.json`s, and Android `gradle.properties`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 68d9f0b. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
How did you test this change?
Click tested with the new page on the E2E app.
Are there any deployment considerations?
N/A
Note
Sanitizes URLs (credentials and sensitive query params) and records request/response headers and bodies as OTel-compliant span attributes, plus adds an E2E HTTP test page and extensive tests.
http.url/url.full/url.path/url.queryusing newsanitizeUrl/safeParseUrl.networkRecordingOptions.recordHeadersAndBodyis enabled.http.request.header.*/http.response.header.*with correct array handling (splitHeaderValue).observe.ts.getUrlFromSpanandshouldRecordRequestin propagator; handle non-Response fetch results.safeParseUrl,sanitizeUrl, sensitive query param redaction, and defaults; export blocklist constants.parseXhrResponseHeaders,convertHeadersToOtelAttributes,splitHeaderValue.routes/http-test.tsxand route/http-testwith buttons to exercise header/url/body scenarios; link in root nav.instrumentation.test.tscovering URL sanitization, header conversion/splitting, XHR header parsing, and header/body recording behavior.Written by Cursor Bugbot for commit 71efe38. This will update automatically on new commits. Configure here.