Don't include query parameters as part of the "http.url" span attribute

[Kami]

(Discussion moved from census-instrumentation/opencensus-python#725)

At the moment, http.url attribute of an HTTP request span contains full URL with query parameters (https://github.com/census-instrumentation/opencensus-specs/blob/master/trace/HTTP.md#attributes).

This is not ideal, because in a lot of scenarios, query parameters can contain sensitive data.

Things such as API keys, tokens, secrets, etc. That's a fairly common patterns when integrating with various webhook-like services which don't allow information such as secrets / tokens to be sent via HTTP headers so they are sent using query parameters.

It's also a fairly common pattern (for better or worse) when authenticating with various APIs.

Because of that, I propose removing query parameters part from the http.url span attribute.

To solve for a scenario where query parameters don't contain sensitive data (aka explicit opt-in or similar by a developer on the library level), we would add new http.query_params or similar attribute which is optional.

[codefromthecrypt]

in zipkin we solve this by not including url as a default tag. instead http.path on the other hand, it would be surprising to have url not include the full url

…

On Wed, Jul 24, 2019, 5:22 AM Tomaz Muraus ***@***.***> wrote: (Discussion moved from census-instrumentation/opencensus-python#725 <census-instrumentation/opencensus-python#725>) At the moment, http.url attribute of an HTTP request span contains full URL with query parameters ( https://github.com/census-instrumentation/opencensus-specs/blob/master/trace/HTTP.md#attributes ). This is not ideal, because in a lot of scenarios, query parameters can contain sensitive data. Things such as API keys, tokens, secrets, etc. That's a fairly common patterns when integrating with various webhook-like services which don't allow information such as secrets / tokens to be sent via HTTP headers so they are sent using query parameters. It's also a fairly common pattern (for better or worse) when authenticating with various APIs. Because of that, I propose removing query parameters part from the http.url span attribute. To solve for a scenario where query parameters don't contain sensitive data (aka explicit opt-in or similar by a developer on the library level), we would add new http.query_params or similar attribute which is optional. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#268?email_source=notifications&email_token=AAAPVVYFC4PLIEPISNQLJG3QA5ZCXA5CNFSM4IGJTTD2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HBBQLMA>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAPVVYLQQSKMG5IGOZQ4JDQA5ZCXANCNFSM4IGJTTDQ> .