Re: [w3ctag/design-reviews] Distributed Tracing WG: Baggage specification (#650) from Sergey Kanzhelev on 2021-08-31 (public-webapps-github@w3.org from August 2021)

From: Sergey Kanzhelev <notifications@github.com>
Date: Tue, 31 Aug 2021 09:19:08 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/650/909384552@github.com>

Sorry for the long delay in replies.

> > For the baggage header, the user-agent will not do anything other than send the header.
> 
> This on its own is concerning security-wise and should be covered in the spec and explainer. For example, what happens on cross-origin requests (e.g. those made in `no-cors` mode): would the baggage header be included? How should cross-origin redirects be handled?

At the moment there are no plans to implement baggage as part of the user-agent. It will typically be done in the JavaScript library executing on the page. This JavaScript library will need to be configured to account for cors correctly.

> I think a conceptually simple way to address this could be to guarantee that the baggage header can only be attached on requests that are same-origin to the response that included the baggage information. The spec already mentions that baggage data "does not leak beyond defined trust boundaries" but my guess is that the folks working on this need to put a little more thought into how this would work on the web.

We believe that defining the trust boundaries is not the part of specification, thus no specific details on how to implement cors or configure trust boundaries in the web. Trust boundaries, especially involving many components of a distributed application, are typically very specific to the application and cannot be easily generalized as a specification. This, however, may be a whole new topic for the distributed tracing working group for the future exploration.



> We're still looking for some more info related to security & privacy - specifically the response to the questionnaire... Also can you be a bit more clear on how you "forbid encoding user identifiable data"?

I think this is referring to the privacy section of a specification. Specification does not solve the problem of what data will be propagated thru the distributed application components. It solves the problem of standardizing the way data is propagated so centralized solutions may be developed to inspect and secure this propagation. Many tools today allow to propagate this information using custom headers which are vendor specific and not clearly documented. So users of these tools have less control over the data being transmitted. When tools will follow the spec, it will be easier for user to control what is transmitted.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/650#issuecomment-909384552

Received on Tuesday, 31 August 2021 16:19:21 UTC