From bcc9daa124b3832a90850269f4a34006db7aada6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Paj=C4=85k?= Date: Fri, 5 Mar 2021 15:20:04 +0100 Subject: [PATCH] http.url MUST NOT contain credentials (#1502) --- CHANGELOG.md | 1 + semantic_conventions/trace/http.yaml | 7 ++++-- .../trace/semantic_conventions/http.md | 25 +++++++++++-------- 3 files changed, 20 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 847f4d04765..aee42e40968 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ release. - Add `runtime` to `container` semantic conventions ([#1482](https://github.com/open-telemetry/opentelemetry-specification/pull/1482)) - Rename `gcp_gke` to `gcp_kubernetes_engine` to have consistency with other Google products under `cloud.infrastructure_service` ([#1496](https://github.com/open-telemetry/opentelemetry-specification/pull/1496)) +- `http.url` MUST NOT contain credentials ([#1502](https://github.com/open-telemetry/opentelemetry-specification/pull/1502)) ## v1.0.1 (2021-02-11) diff --git a/semantic_conventions/trace/http.yaml b/semantic_conventions/trace/http.yaml index 3f765e038e8..a0c66f87944 100644 --- a/semantic_conventions/trace/http.yaml +++ b/semantic_conventions/trace/http.yaml @@ -16,6 +16,9 @@ groups: brief: > Full HTTP request URL in the form `scheme://host[:port]/path?query[#fragment]`. Usually the fragment is not transmitted over HTTP, but if it is known, it should be included nevertheless. + note: > + `http.url` MUST NOT contain credentials passed via URL in form of `https://username:password@www.example.com/`. + In such case the attribute's value should be `https://www.example.com/`. examples: ['https://www.foo.bar/search?q=OpenTelemetry#SemConv'] - id: target type: string @@ -58,7 +61,7 @@ groups: - id: QUIC value: 'QUIC' brief: 'QUIC protocol.' - brief: 'Kind of HTTP protocol used' + brief: 'Kind of HTTP protocol used.' note: > If `net.transport` is not specified, it can be assumed to be `IP.TCP` except if `http.flavor` is `QUIC`, in which case `IP.UDP` is assumed. @@ -140,4 +143,4 @@ groups: - [http.scheme, http.host, http.target] - [http.scheme, http.server_name, net.host.port, http.target] - [http.scheme, net.host.name, net.host.port, http.target] - - [http.url] \ No newline at end of file + - [http.url] diff --git a/specification/trace/semantic_conventions/http.md b/specification/trace/semantic_conventions/http.md index 6f5d81f0e4b..dd33fa27cd0 100644 --- a/specification/trace/semantic_conventions/http.md +++ b/specification/trace/semantic_conventions/http.md @@ -10,14 +10,15 @@ and various HTTP versions like 1.1, 2 and SPDY. -- [Name](#name) -- [Status](#status) -- [Common Attributes](#common-attributes) -- [HTTP client](#http-client) -- [HTTP server](#http-server) - * [HTTP server definitions](#http-server-definitions) - * [HTTP Server semantic conventions](#http-server-semantic-conventions) -- [HTTP client-server example](#http-client-server-example) +- [Semantic conventions for HTTP spans](#semantic-conventions-for-http-spans) + - [Name](#name) + - [Status](#status) + - [Common Attributes](#common-attributes) + - [HTTP client](#http-client) + - [HTTP server](#http-server) + - [HTTP server definitions](#http-server-definitions) + - [HTTP Server semantic conventions](#http-server-semantic-conventions) + - [HTTP client-server example](#http-client-server-example) @@ -55,19 +56,21 @@ Don't set the span status description if the reason can be inferred from `http.s | Attribute | Type | Description | Examples | Required | |---|---|---|---|---| | `http.method` | string | HTTP request method. | `GET`; `POST`; `HEAD` | Yes | -| `http.url` | string | Full HTTP request URL in the form `scheme://host[:port]/path?query[#fragment]`. Usually the fragment is not transmitted over HTTP, but if it is known, it should be included nevertheless. | `https://www.foo.bar/search?q=OpenTelemetry#SemConv` | No | +| `http.url` | string | Full HTTP request URL in the form `scheme://host[:port]/path?query[#fragment]`. Usually the fragment is not transmitted over HTTP, but if it is known, it should be included nevertheless. [1] | `https://www.foo.bar/search?q=OpenTelemetry#SemConv` | No | | `http.target` | string | The full request target as passed in a HTTP request line or equivalent. | `/path/12314/?q=ddds#123` | No | | `http.host` | string | The value of the [HTTP host header](https://tools.ietf.org/html/rfc7230#section-5.4). When the header is empty or not present, this attribute should be the same. | `www.example.org` | No | | `http.scheme` | string | The URI scheme identifying the used protocol. | `http`; `https` | No | | `http.status_code` | number | [HTTP response status code](https://tools.ietf.org/html/rfc7231#section-6). | `200` | If and only if one was received/sent. | -| `http.flavor` | string | Kind of HTTP protocol used [1] | `1.0` | No | +| `http.flavor` | string | Kind of HTTP protocol used. [2] | `1.0` | No | | `http.user_agent` | string | Value of the [HTTP User-Agent](https://tools.ietf.org/html/rfc7231#section-5.5.3) header sent by the client. | `CERN-LineMode/2.15 libwww/2.17b3` | No | | `http.request_content_length` | number | The size of the request payload body in bytes. This is the number of bytes transferred excluding headers and is often, but not always, present as the [Content-Length](https://tools.ietf.org/html/rfc7230#section-3.3.2) header. For requests using transport encoding, this should be the compressed size. | `3495` | No | | `http.request_content_length_uncompressed` | number | The size of the uncompressed request payload body after transport decoding. Not set if transport encoding not used. | `5493` | No | | `http.response_content_length` | number | The size of the response payload body in bytes. This is the number of bytes transferred excluding headers and is often, but not always, present as the [Content-Length](https://tools.ietf.org/html/rfc7230#section-3.3.2) header. For requests using transport encoding, this should be the compressed size. | `3495` | No | | `http.response_content_length_uncompressed` | number | The size of the uncompressed response payload body after transport decoding. Not set if transport encoding not used. | `5493` | No | -**[1]:** If `net.transport` is not specified, it can be assumed to be `IP.TCP` except if `http.flavor` is `QUIC`, in which case `IP.UDP` is assumed. +**[1]:** `http.url` MUST NOT contain credentials passed via URL in form of `https://username:password@www.example.com/`. In such case the attribute's value should be `https://www.example.com/`. + +**[2]:** If `net.transport` is not specified, it can be assumed to be `IP.TCP` except if `http.flavor` is `QUIC`, in which case `IP.UDP` is assumed. `http.flavor` MUST be one of the following or, if none of the listed values apply, a custom value: