ApplicationInsights-JS icon indicating copy to clipboard operation
ApplicationInsights-JS copied to clipboard
verified publisher icon microsoft

remove sensitive data from ai.operation.name tag

Open RemcoBlok opened this issue 3 years ago • 2 comments

When using oauth2 / openid connect a redirect takes place with an access token in the url fragment. This url including the access token in the url fragment appears in the ai.operation.name tag of telemetry. I would like to be able to remove the url fragment from the ai.operation.name tag using a telemetry initializer. However, when a telemetry initializer is called the ai.operation.name tag is not yet set, so I am unable to remove the url fragment from the tag. It appears the ai.operation.name tag is set after the telemetry initializer is called. Can this be changed please?

RemcoBlok avatar Apr 25 '22 10:04 RemcoBlok

Which version of the SDK are you using?

Looking through the code this is populated from the automatic values assigned to the context.telemetryTrace.name (in the latest Sdk) which is populated from the window.location.pathname, so assuming that the fragment (stuff after the '#') is being included in this for the browser then the option would be to either

  • Change this value during page load / Sdk initialization to remove everything after the '#'
  • Do the same in the telemetry initialzer (although you only need to do this once) -- but as it's a redirect scenario you probably won't be getting many events occurring -- this is of course that you have a specific page being returned / initialized for the redirect flow.

MSNev avatar Apr 25 '22 16:04 MSNev

Thanks for your reply. We use version 2.8.1.

We managed to get the url fragment containing an access token removed from the ai.operation.name tag by removing it from envelope.baseData.name and envelope.baseData.target where envelope.baseType is RemoteDependencyData.

We also had to remove the url fragment containing an access token from envelope.baseData.uri and envelope.baseData.refUri where envelope.baseType is PageviewData and from envelope.baseData.uri where envelope.baseType is PageviewPerformanceData.

Finally we also had to remove it from envelope.ext.trace.name for all telemetry. This one made us wonder if this might break how application insights correlates telemetry, but it seems to still be ok.

RemcoBlok avatar Apr 26 '22 15:04 RemcoBlok

This Issue will be closed in 30 days. Please remove the "Stale" label or comment to avoid closure with no action.

github-actions[bot] avatar Mar 01 '23 07:03 github-actions[bot]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Apr 01 '24 00:04 github-actions[bot]