Disable Release Health (autoSessionTracking) by default

[caugner]

The plugin is described as [only] reporting PHP and JavaScript errors to Sentry, but it also sends a session event for every page navigation, essentially tracking users (without consent).

This seems to be Sentry's Release Health feature:

The SDK will automatically manage the start and end of the sessions when the SDK is initialized. We create a session for every page load.

The solution is to set the autoSessionTracking flag to false:

Sentry.init({
  autoSessionTracking: false // default: true
});

In my opinion, this should be default for the plugin, unless the plugin description states otherwise.

[stayallive]

Hmm, I can agree with you but since it's the default of the JS SDK I think we maybe could communicate better what is being used under the hood instead of changing the SDK defaults?

[caugner]

If you add the "health" aspect to the plugin description and add an environment variable SENTRY_AUTO_SESSION_TRACKING, that would be a solution I could live with, because I use self-hosted Sentry (onpremise) instances exclusively.

Afaik Sentry's Release Health doesn't make sense for most WordPress sites though, because the plugin doesn't set a "release". It could use the WordPress version, but really any change to the set of activated plugins (activate plugin, update active plugin, deactive plugin) and themes would essentially justify a new "release" number (e.g. WordPress version + hash of active plugin names with versions).

When weighing the amount of data Release Health collects (we're talking IP address + visited page) against the benefit of the Release Health dashboard (namely the "Crash free rate"), my only conclusion is that this is not compatible with European GDPR:

[stayallive]

You can do this already to disable it:

add_filter( 'wp_sentry_public_options', function ( array $options ) {
    return array_merge( $options, array(
        'autoSessionTracking' => false,
    ));
} );

https://github.com/stayallive/wp-sentry/blob/78c3e93b8dca8f9167764e27677fece93613612a/wp-sentry.php#L71-L74

As you can see from the snippet above we do provide a release if possible and also communicate that with the JS SDK, you can set it yourself or let the Sentry plugin figure out the theme version. But if this is not available we do default to unknown indeed. You can override it by defining WP_SENTRY_VERSION yourself.

If you feel like the release health is violating GDPR or other privacy regulation by having it enabled by default open up an issue at the browser SDK repo: https://github.com/getsentry/sentry-javascript. I think it's not for a lone WordPress plugin to decide what the better defaults are :)

[caugner]

@stayallive As an alternative, could you please update the plugin description?

Essentially, the plugin currently advises itself as a smoke detector, when it is in fact reporting on any move any user is doing, including all form inputs. And the plugin description doesn't come from https://github.com/getsentry/sentry-javascript.

- A (unofficial) WordPress plugin to report PHP and JavaScript errors to Sentry.
+ A (unofficial) WordPress plugin that reports PHP and JavaScript errors (and all client- and server-side user actions) to Sentry.

[stayallive]

reports PHP and JavaScript errors (and all client- and server-side user actions) to Sentry

That is not what release health is doing at all, and for sure the PHP SDK is not since it doesn't even contain the release health features.

This is the payload sent by the release health ping taken from a WordPress site just a few minutes ago, you can see it for yourself by opening your browsers network console to see the network requests made to your Sentry server:

{
    "sent_at": "2021-10-06T17:51:20.700Z",
    "sdk": {
        "name": "sentry.javascript.browser",
        "version": "6.11.0"
    }
}{
    "type": "session"
}{
    "sid": "37c398f7ef60402590d77bc369dd3711",
    "init": true,
    "started": "2021-10-06T17:51:20.699Z",
    "timestamp": "2021-10-06T17:51:20.699Z",
    "status": "ok",
    "errors": 0,
    "attrs": {
        "release": "1.2.3",
        "environment": "production",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4655.5 Safari/537.36"
    }
}

There is some info about the Browser and when the event occurred, no user actions that I can spot.

Only when tracing is enabled (which it is not by default) is more information about user interactions sent to the Sentry server without an error occurring but this is a feature you have to enable (in the case of this plugin by setting WP_SENTRY_BROWSER_TRACES_SAMPLE_RATE to anything other than 0) and is not enabled by default.

---

Please take this discussion up with Sentry and the Browser SDK if you feel like Sentry or the Browser/JavaScript SDK is doing something nefarious and I'm sure they will be able to explain the feature and what is actually tracked. I don't see any of the words you are suggesting on either the JavaScript or PHP SDK and as explained I don't think it's correct.

[caugner]

Sincere apologies, I must have remembered that wrong and mixed things up. Thank you for verifying and clarifying, and sorry for the trouble my mistake caused. I have marked my comment as outdated accordingly.