✨ add new privacy rule for autocomplete password value

[zyhou]

Hello,

Motivation

There are multiple ways to hide an element from RUM Session Replay (documentation):

• Using an HTML attribute: data-dd-privacy="allow" | "mask" | "hidden" | "mask-user-input"
• Using CSS classes: class="dd-privacy-allow" | "dd-privacy-mask-user-input" | "dd-privacy-mask" | "dd-privacy-hidden"

By default, some HTML elements are automatically masked:

• Input elements of type password, email, and tel
• Elements with autocomplete attributes for credit card numbers, expiration dates, and security codes

However, this doesn't currently handle new-password and current-password autocomplete attributes.

Why isn't type="password" sufficient?
This is mainly due to password visibility toggle components, where libraries and custom code temporarily change the input type from password to text to show the password, then revert it back to password.

Changes

I have updated the condition for autocomplete attributes using the same logic as cc- prefixes.
My main question is whether we should use an endsWith logic? This would match the current cc- implementation, or we could be more explicit:

if (autocomplete && (
    autocomplete.indexOf('cc-') === 0 ||
    autocomplete === 'new-password' ||
    autocomplete === 'current-password'
)) {
    return NodePrivacyLevel.MASK
}

Can you update the documentation too?

Testing

• Local
• Staging
• Unit
• End to end

---

I have gone over the contributing documentation.

[bits-bot]

All committers have signed the CLA.

[cy-moi]

Hi @zyhou,
Thank you for contributing! This is a great change. We are going to take over and merge this.