Allowlist for navigation route params

[philipphofmann]

Description

With #3487 shipped in 5.12.2 the SDK stopped sending navigation route params for auto-generated transactions because they could contain PII or other sensitive data. Instead of dropping all parameters, we could define an allow list and/or guard sending params with sendDefaultPii. Anyways, even if sendDefaultPii is on, we must drop parameters such as username and password.

Related docs PR getsentry/sentry-docs#8767 and Relay PR to scrub PII from transaction data getsentry/relay#2899.

[liamjones]

For us, it'd be nice if you could just turn the 'include all params' feature back on rather than having to maintain a specific allow list - we never put anything sensitive in our nav params and the extra context can be invaluable. I suppose if the allow list supports regexps/patterns so we could easily say 'include everything' it'd be fine... 🤔

[kahest]

Related RFC: https://github.com/getsentry/rfcs/blob/main/text/0062-controlling-pii-and-credentials-in-sd-ks.md

[krystofwoldrich]

Browse JS context, thank you @Lms24

Default browser routing instrumentation does not include query params, but Vue routing integration does add them to the spans data bag.

httpClientIntegration adds a raw URL to the event request via httpContextIntegration

From my side, the most user-friendly way would be to add allowList without sendDefaultPii, with no default values.