Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP Span Attributes: http.url must not contain username / password #1675

Closed
matej-g opened this issue Mar 8, 2021 · 3 comments · Fixed by #1919
Closed

HTTP Span Attributes: http.url must not contain username / password #1675

matej-g opened this issue Mar 8, 2021 · 3 comments · Fixed by #1919
Milestone
untracked

Comments

@matej-g
Copy link
Contributor

matej-g commented Mar 8, 2021

As is stated in the recent specification change :

http.url MUST NOT contain credentials passed via URL in form of https://username:password@www.example.com/. In such case the attribute's value should be https://www.example.com/.

This should be reflected in HTTPClientAttributesFromHTTPRequest
@mrveera
Copy link
Contributor

mrveera commented Mar 8, 2021
edited
Loading

I understand this is coming from spec but for enduser it won't be evident that URL was containing username and password when it got here. Instead if we have redacted version like https://***:***@www.example.com/ it will be more evident in expressing URL contains username and password but they are redacted for security reasons.

If we don't go with redacted version it might cause ambiguity for someone checking if url contains creds or not because in span with creds and without creds will be same.

@matej-g
Copy link
Contributor Author

matej-g commented Mar 9, 2021

If we don't go with redacted version it might cause ambiguity for someone checking if url contains creds or not because in span with creds and without creds will be same.

Yes, I think this could be a valid concern. However, it seems the specification suggests to drop everything (see the quoted excerpt in the issue description, also see the discussion). Maybe in such cases this could be alleviated in other way, perhaps adding an attribute, if desired?

@mrveera mrveera mentioned this issue Mar 9, 2021
Merged
@pellared
Copy link
Member

pellared commented Mar 9, 2021

For sake of transparency: open-telemetry/opentelemetry-specification#1502 (comment)

@Aneurysm9 Aneurysm9 mentioned this issue May 13, 2021
Merged
@pellared pellared added this to the untracked milestone Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
untracked
Development

Successfully merging a pull request may close this issue.

Do not include authentication information in the http.url attribute Aneurysm9/opentelemetry-go
4 participants
@pellared @MrAlias @mrveera @matej-g