Skip to content

Feature Request: Sanitize Auto-Tracked Resource URLs Before Reporting #1327

Description

@teplymax

Feature description

Feature Description

Use case

We want to sanitize URLs of resources reported to Datadog from React Native apps to prevent
PII leaks through query parameters or other URL components.

For example, an auto-tracked resource URL like:

https://testurl.com?phone=12345

should be reported as:

https://testurl.com?phone=PHONE_PLACEHOLDER

This would let mobile apps apply the same resource URL sanitization strategy that our
frontend already supports, giving us consistent privacy controls across web and mobile
instrumentation.

How the SDK currently delivers this

The React Native SDK exposes resourceEventMapper, but the automatic XHR resource tracking
flow does not give it enough control before native RUM resource tracking starts.

In the current flow, URL-based filtering or sanitization can happen too late. The native
resource may already be started before the mapper has enough resource context to decide
whether the event should be kept, dropped, or sanitized.

This means applications cannot reliably use resourceEventMapper as the single place to
sanitize auto-tracked XHR resource URLs before they are reported to Datadog.

What we would like to see

We would like resourceEventMapper to be applied to auto-tracked XHR resources before native
startResource is called.

The mapper should receive resource URL context, for example through
resourceContext.responseURL, so applications can inspect and rewrite the URL before it is
reported.

Expected behavior:

  • If resourceEventMapper rewrites resourceContext.responseURL, the sanitized URL is used
    for the reported RUM resource.
  • If resourceEventMapper returns null, the auto-tracked resource is dropped before native
    tracking starts.
  • Runtime calls to DdRum.registerResourceEventMapper and
    DdRum.unregisterResourceEventMapper update the mapper used by already-enabled automatic
    XHR tracking.
  • Existing resource tracking behavior, including tracing sample rate updates and internal SDK
    resource filters, continues to work.

This would let React Native apps prevent PII leaks in Datadog resource URLs while keeping
behavior consistent with frontend instrumentation.

Proposed solution

Here is the suggested implementation:

https://github.com/teplymax/dd-sdk-reactnative/tree/teplymax/apply-resourceEventMapper-to-auto-tracked-resources

Patch to test this out:
@datadog+mobile-react-native+3.5.1.patch

Other relevant information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions