Define allowlist of URLs to capture replay request bodies/headers for

[mydea]

For replay network breadcrumbs, we want users to define an allowlist of URLs for which to capture bodies/headers.

The idea is that we do not blindly capture anything (which could contain PII), but to have users opt in for which URLs they want to capture bodies/headers.

Proposed API

new Replay({
  network: {
    urls: ['https://my-api.com', /https:\/\/custom-api\.com/],
  },
});

urls provided as strings will be contains-matched, if you need exact matches you can use a regex (similar to tracePropagationTargets).

UI changes

Since this would mean that bodies/headers are opt in, it would be important to educate users about the possibility to do so.
In addition to adding this to the docs generally, we should also handle this in the replay UI.

One idea is to add a warning flag to the request/response _meta that indicates that this was ignored due to urls nor matching. Then in the UI, when a user clicks on a request, we could show a message like:

The body & headers for this request have not been captured because network.urls does not match it. If you want to start capturing this request, modify your SDK config and add network: { urls: ['https://url-domain.com'] } } in order to capture bodies & headers for all API requests to this domain.

[ryan953]

+1 on the _meta field. That could be useful to pass any kind of metadata to the frontend. I'm thinking like truncation info, metadata about scrubbed data... yeah.