Replay: Make unmasking of detectable sensitive fields impossible

[bruno-garcia]

Sentry Replay by default masks all text. But users are able to unmask things by opt-ing out of unmasking.

An additional safety net is to skip the unmasking process for some field types, like type='password':

• feat: Ensure password inputs are always masked rrweb#78

Some sensitive fields are not well defined but somehow integrations like 1password can pre-fill credit card and CVV info.
Would be great to also avoid recording those altogether. To make sure someone who accidently (or due to malice) removed masking does not capture that data.

[mydea]

An additional safety net is to skip the unmasking process for some field types, like type='password' (I believe we do this already but couldn't find it on the docs)

Yes, we force masking of password inputs in rrweb itself!

Some sensitive fields are not well defined but somehow integrations like 1password can pre-fill credit card and CVV info.
Would be great to also avoid recording those altogether. To make sure someone who accidently (or due to malice) removed masking does not capture that data.

There are ways to infer if something is a credit card field etc. I think I've written this down somewhere already at some point, but no idea where, but the easiest approach is to look at this: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete

The following could be considered un-unmaskable:

• [autocomplete=current-password]
• [autocomplete=new-password]
• [autocomplete=cc-number]
• [autocomplete=cc-exp]
• [autocomplete=cc-exp-month]
• [autocomplete=cc-exp=year]
• [autocomplete=cc-csc]

this obv. only works if these are set, but they are also very reliable and we can pretty much rule out false positives there, I think.

[bruno-garcia]

Yes, we force masking of password inputs in rrweb itself!

We had an issue where a replay that was explicitly unmasking everything had some input=password show its content. We'll investigate further.

First look from @mydea had him say:

maybe the problem is that the value is inlined in the html, we mostly handle this in Dom listeners . Not sure but will look into it next week!

Additional context we received in how this situation can happen:

Some additional context; the password was originally masked but upon clicking the Password Reveal Button it was unmasked.