PII in Android system logs -- JS Console |
||||||||
Issue descriptionChrome Version: 70.0.3538.80 (Official Build) (32-bit) OS: Android Pie What steps will reproduce the problem? (1) $ adb logcat chromium:V "*:S" (2) Visit bing.com What is the expected result? There should be no PII in system logs per [1]. What happens instead? URLs show up in system logs (manually redacted): 11-14 11:50:22.685 22840 22840 I chromium: [INFO:CONSOLE(2)] "chrome.loadTimes() is deprecated, instead use standardized API: Paint Timing. https://www.chromestatus.com/features/5637885046816768.", source: https://www.bing.com/[REDACTED] (2) [1] https://chromium.googlesource.com/chromium/src/+/master/docs/android_logging.md#Rule-1_Never-log-PII-Personal-Identification-Information
,
Nov 14
Pavel, could you please take a look?
,
Nov 14
Splitting the domain reliability part off into issue 905262 .
,
Nov 14
,
Nov 15
I'm not sure how many app developers might expect to debug their app this way, and we have definitely debugged webview issues in the past by using these messages in user/developer reported bugs. However, these messages have *also* often been a source of confusion and caused people to believe there is an error/problem with their app when actually it's just a console message from some uninteresting third party content in webview. Sanitising them reasonably would be impossible since we have no idea what's being printed in them, so I guess removing them is probably the best answer; I'll start a quick thread on the webview team list to see if anyone has a different opinion though.
,
Nov 15
Thank you! Could you maybe add me to that thread?
,
Nov 15
Btw, in case folks need console messages in logcat for debugging, I think it'd be fine to provide a flag to enable that, it just should be off by default.
,
Nov 15
App developers cannot set flags on normal devices, alas.
,
Nov 22
Owner -> Assigned.
,
Nov 23
,
Nov 23
Hazem, could you please take this bug?
The conclusion, from email, is that it's ok to continue mirroring JS console messages to logcat when the application is debuggable, or the device is itself a debuggable build (!Build.TYPE.equals("user")).
,
Dec 3
Not devtools-related, removing label. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by tnagel@chromium.org
, Nov 14Summary: PII in Android system logs -- JS Console (was: PII in Android system logs)
If I'm reading the code correctly, the source of the deprecation message is WorkerOrWorkletGlobalScope::CountDeprecation(): AddConsoleMessage( ConsoleMessage::Create(kDeprecationMessageSource, kWarningMessageLevel, Deprecation::DeprecationMessage(feature))); But now I'm getting more messages, so it seems that the entire JS console is mirrored to logcat: 11-14 12:23:14.377 22840 22840 I chromium: [INFO:CONSOLE(546)] "Powered by AMP ⚡ HTML – Version 1811091519050", source: https://cdn.ampproject.org/rtv/011811091519050/amp4ads-v0.js (546) 11-14 12:23:17.479 22840 22840 I chromium: [INFO:CONSOLE(222)] "Uncaught SecurityError: Failed to read the 'cssRules' property from 'CSSStyleSheet': Cannot access rules", source: https://m.slashdot.org/ (222)