PII in Android system logs -- domain reliability |
|||
Issue descriptionChrome Version: 70.0.3538.80 (Official Build) (32-bit) OS: Android Pie What steps will reproduce the problem? (1) $ adb logcat chromium:V "*:S" (2) Surf the web (maybe most likely to repro on Google properties?) What is the expected result? There should be no PII in system logs per [1]. What happens instead? URLs show up in system logs: 11-14 11:51:23.441 22840 22905 W chromium: [WARNING:monitor.cc(413)] Request to https://www.google.de/domainreliability/upload had (at least) two NEL headers: "{"failure_fraction":1" and ""include_subdomains":false". 11-14 11:51:23.983 22840 22905 W chromium: [WARNING:monitor.cc(413)] Request to https://beacons5.gvt3.com/domainreliability/upload-redirected had (at least) two NEL headers: "{"failure_fraction":1" and ""include_subdomains":false". 11-14 11:51:28.991 22840 22905 W chromium: [WARNING:monitor.cc(413)] Request to https://beacons3.gvt2.com/domainreliability/upload-nel had (at least) two NEL headers: "{"failure_fraction":1" and ""include_subdomains":false". 11-14 11:52:29.084 22840 22905 W chromium: [WARNING:monitor.cc(413)] Request to https://www.google.de/domainreliability/upload had (at least) two NEL headers: "{"failure_fraction":1" and ""include_subdomains":false". 11-14 11:52:29.091 22840 22905 W chromium: [WARNING:monitor.cc(413)] Request to https://beacons2.gvt2.com/domainreliability/upload-nel had (at least) two NEL headers: "{"failure_fraction":1" and ""include_subdomains":false". [1] https://chromium.googlesource.com/chromium/src/+/master/docs/android_logging.md#Rule-1_Never-log-PII-Personal-Identification-Information
,
Nov 14
Sorry, can I get more context here? What logging are we talking about? Is this LOG(INFO) style logging? Is this Chrome net-internals? Is the PII here the two headers, "failure_fraction" and "include_subdomains"? That doesn't look like PII to me, but maybe I'm not understanding.
,
Nov 14
Thanks for looking into this! It's LOG(WARNING) in [1]. The PII is in the URL which may be indicative of the URL that the user has been browsing. [1] https://cs.chromium.org/chromium/src/components/domain_reliability/monitor.cc?q=monitor.cc&sq=package:chromium&dr&l=413
,
Nov 14
,
Nov 14
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/99c53bcfb565218859bb8f4a99dcc18891fa1d4b commit 99c53bcfb565218859bb8f4a99dcc18891fa1d4b Author: Misha Efimov <mef@chromium.org> Date: Wed Nov 14 20:26:23 2018 Prevent PII logging in domain reliability component. Bug: 905262 Change-Id: I84199aa390a7b67e996d9022e94a826363084796 Reviewed-on: https://chromium-review.googlesource.com/c/1335954 Reviewed-by: Eric Orth <ericorth@chromium.org> Commit-Queue: Misha Efimov <mef@chromium.org> Cr-Commit-Position: refs/heads/master@{#608109} [modify] https://crrev.com/99c53bcfb565218859bb8f4a99dcc18891fa1d4b/components/domain_reliability/context.cc [modify] https://crrev.com/99c53bcfb565218859bb8f4a99dcc18891fa1d4b/components/domain_reliability/context_manager.cc [modify] https://crrev.com/99c53bcfb565218859bb8f4a99dcc18891fa1d4b/components/domain_reliability/header.cc [modify] https://crrev.com/99c53bcfb565218859bb8f4a99dcc18891fa1d4b/components/domain_reliability/monitor.cc [modify] https://crrev.com/99c53bcfb565218859bb8f4a99dcc18891fa1d4b/components/domain_reliability/uploader.cc
,
Nov 14
,
Nov 15
Many thanks for the quick turnaround! |
|||
►
Sign in to add a comment |
|||
Comment 1 by tnagel@chromium.org
, Nov 14