fix(distributed_tracing): ensure ASM standalone operates on all propagation styles

ddtrace/propagation/http.py

@@ -237,11 +237,6 @@ def _inject(span_context, headers):
             log.debug("tried to inject invalid context %r", span_context)
             return
 
-        # When in appsec standalone mode, only distributed traces with the `_dd.p.appsec` tag
-        # are propagated. If the tag is not present, we should not propagate downstream.
-        if asm_config._appsec_standalone_enabled and (APPSEC.PROPAGATION_HEADER not in span_context._meta):
-            return
-
         if span_context.trace_id > _MAX_UINT_64BITS:
             # set lower order 64 bits in `x-datadog-trace-id` header. For backwards compatibility these
             # bits should be converted to a base 10 integer.
@@ -355,16 +350,6 @@ def _extract(headers):
             if meta:
                 meta = validate_sampling_decision(meta)
 
-            if asm_config._appsec_standalone_enabled:
-                # When in appsec standalone mode, only distributed traces with the `_dd.p.appsec` tag
-                # are propagated downstream, however we need 1 trace per minute sent to the backend, so
-                # we unset sampling priority so the rate limiter decides.
-                if not meta or APPSEC.PROPAGATION_HEADER not in meta:
-                    sampling_priority = None
-                # If the trace has appsec propagation tag, the default priority is user keep
-                elif meta and APPSEC.PROPAGATION_HEADER in meta:
-                    sampling_priority = 2  # type: ignore[assignment]
-
             return Context(
                 # DEV: Do not allow `0` for trace id or span id, use None instead
                 trace_id=trace_id or None,
@@ -1097,6 +1082,11 @@ def parent_call():
 
             _inject_llmobs_parent_id(span_context)
 
+        # When in appsec standalone mode, only distributed traces with the `_dd.p.appsec` tag
+        # are propagated. If the tag is not present, we should not propagate downstream.
+        if asm_config._appsec_standalone_enabled and (APPSEC.PROPAGATION_HEADER not in span_context._meta):
+            return
+
         if PROPAGATION_STYLE_DATADOG in config._propagation_style_inject:
             _DatadogMultiHeader._inject(span_context, headers)
         if PROPAGATION_STYLE_B3_MULTI in config._propagation_style_inject:
@@ -1162,6 +1152,16 @@ def my_controller(url, headers):
                     else:
                         context = baggage_context
 
+            if asm_config._appsec_standalone_enabled:
+                # When in appsec standalone mode, only distributed traces with the `_dd.p.appsec` tag
+                # are propagated downstream, however we need 1 trace per minute sent to the backend, so
+                # we unset sampling priority so the rate limiter decides.
+                if not context._meta or APPSEC.PROPAGATION_HEADER not in context._meta:
+                    context.sampling_priority = None
+                # If the trace has appsec propagation tag, the default priority is user keep
+                elif context and APPSEC.PROPAGATION_HEADER in context._meta:
+                    context.sampling_priority = 2
+
             return context
 
         except Exception:

releasenotes/notes/fix-asm-standalone-propagation-7bdb5a040ef82bac.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    ASM: Fixed an issue where distributed tracing headers were improperly propagated when tracing was disabled. Now, headers are only propagated for traces with the _dd.p.appsec tag, regardless of the propagation style (e.g., TraceContext). Previously, this logic applied only to Datadog headers, potentially allowing invalid trace info to be injected or extracted.