replay: add dd-privacy attribute for obfuscation & ignoring input (#715)

* recorder: introduce helpers to obfuscate elements

Adds the nodeIsHidden & nodeOrAncestorsAreHidden helpers.

These helpers, part of the new "privacy" file, replace rrweb's
isBlocked() and rrweb-snapshot's _isBlockedElement() functions.

They do not rely on the blockClass variable (removed in a later
commit), but instead use constants defined within the same file.

An element is considered hidden if it has the data attribute
"data-dd-privacy" set to "hidden" or a class of "dd-privacy-hidden".

* recorder: introduce helpers to ignore input

Adds the nodeHasInputIngored & nodeOrAncestorsHaveInputIngnored
helpers.

These helpers will return true when a node should have it's input
ignored, either because an attribute/class is set, or because it's a
kind of input we don't want to track.

They do not rely on the ignoreClass variable (removed in a later
commit), but instead use constants defined within the same file.

An element is considered ignored if it has the data attribute
"data-dd-privacy" set to "input-ignored", a class of
"dd-privacy-input-ingored", or a type of "email", "password" or "tel".

* recorder: add unit tests for obfuscation & input ignore

* e2e: update appium version

Calls to setValue() would fail with 1.9.1:

	Error: invalid argument: 'value' must be a list
	  (Session info: chrome=86.0.4240.198)
	  (Driver info: chromedriver=86.0.4240.22 (398b0743353ff36fb1b82468f63a3a93b4e2e89e-refs/branch-heads/4240@{#378}),platform=Linux 4.1.13-101.fc21.x86_64 x86_64)

* recorder: add e2e tests for obfuscation & input ignore

* recorder: remove unused variables

blockClass, blockSelector, and ignoreClass are now unused

* recorder: rename helpers

Renames:
- nodeIsHidden to nodeShouldBeHidden
- nodeOrAncestorsAreHidden to nodeOrAncestorsShouldBeHidden
- nodeHasInputIngored to nodeShouldHaveInputIngored
- nodeOrAncestorsHaveInputIngnored to nodeOrAncestorsShouldHaveInputIngnored

* recorder: rename ElementNode's needBlock to shouldBeHidden

Author: vlad-mh

packages/rum-recorder/src/domain/privacy.spec.ts

@@ -0,0 +1,114 @@
+import { isIE } from '@datadog/browser-core'
+import {
+  nodeShouldBeHidden,
+  nodeOrAncestorsShouldBeHidden,
+  nodeShouldHaveInputIgnored,
+  nodeOrAncestorsShouldHaveInputIgnored,
+} from './privacy'
+
+describe('privacy helpers', () => {
+  beforeEach(() => {
+    if (isIE()) {
+      pending('IE not supported')
+    }
+  })
+
+  describe('for hiding blocks', () => {
+    it('considers a normal DOM Element as not hidden', () => {
+      const node = document.createElement('p')
+      expect(nodeShouldBeHidden(node)).toBeFalsy()
+    })
+    it('considers a DOM Element with a data-dd-privacy="hidden" attribute as hidden', () => {
+      const node = document.createElement('p')
+      node.setAttribute('data-dd-privacy', 'hidden')
+      expect(nodeShouldBeHidden(node)).toBeTruthy()
+    })
+    it('considers a DOM Element with a data-dd-privacy="foo" attribute as not hidden', () => {
+      const node = document.createElement('p')
+      node.setAttribute('data-dd-privacy', 'foo')
+      expect(nodeShouldBeHidden(node)).toBeFalsy()
+    })
+    it('considers a DOM Element with a dd-privacy-hidden class as hidden', () => {
+      const node = document.createElement('p')
+      node.className = 'dd-privacy-hidden'
+      expect(nodeShouldBeHidden(node)).toBeTruthy()
+    })
+    it('considers a normal DOM Element with a normal parent as not hidden', () => {
+      const node = document.createElement('p')
+      const parent = document.createElement('div')
+      parent.appendChild(node)
+      expect(nodeOrAncestorsShouldBeHidden(node)).toBeFalsy()
+    })
+    it('considers a DOM Element with a parent node with a dd-privacy="hidden" attribute as hidden', () => {
+      const node = document.createElement('p')
+      const parent = document.createElement('div')
+      parent.setAttribute('data-dd-privacy', 'hidden')
+      parent.appendChild(node)
+      expect(nodeOrAncestorsShouldBeHidden(node)).toBeTruthy()
+    })
+    it('considers a DOM Element with a parent node with a dd-privacy-hidden class as hidden', () => {
+      const node = document.createElement('p')
+      const parent = document.createElement('div')
+      parent.className = 'dd-privacy-hidden'
+      parent.appendChild(node)
+      expect(nodeOrAncestorsShouldBeHidden(node)).toBeTruthy()
+    })
+    it('considers a DOM Document as not hidden', () => {
+      expect(nodeOrAncestorsShouldBeHidden(document)).toBeFalsy()
+    })
+  })
+  describe('for ignoring input events', () => {
+    it('considers a normal DOM Element as not to be ignored', () => {
+      const node = document.createElement('input')
+      expect(nodeShouldHaveInputIgnored(node)).toBeFalsy()
+    })
+    it('considers a DOM Element with a data-dd-privacy="input-ignored" attribute to be ignored', () => {
+      const node = document.createElement('input')
+      node.setAttribute('data-dd-privacy', 'input-ignored')
+      expect(nodeShouldHaveInputIgnored(node)).toBeTruthy()
+    })
+    it('considers a DOM Element with a data-dd-privacy="foo" attribute as not to be ignored', () => {
+      const node = document.createElement('input')
+      node.setAttribute('data-dd-privacy', 'foo')
+      expect(nodeShouldHaveInputIgnored(node)).toBeFalsy()
+    })
+    it('considers a DOM Element with a dd-privacy-input-ignored class to be ignored', () => {
+      const node = document.createElement('input')
+      node.className = 'dd-privacy-input-ignored'
+      expect(nodeShouldHaveInputIgnored(node)).toBeTruthy()
+    })
+    it('considers a DOM HTMLInputElement with a type of "password" to be ignored', () => {
+      const node = document.createElement('input')
+      node.type = 'password'
+      expect(nodeShouldHaveInputIgnored(node)).toBeTruthy()
+    })
+    it('considers a DOM HTMLInputElement with a type of "text" as not to be ignored', () => {
+      const node = document.createElement('input')
+      node.type = 'text'
+      expect(nodeShouldHaveInputIgnored(node)).toBeFalse()
+    })
+    it('considers a normal DOM Element with a normal parent as not to be ignored', () => {
+      const node = document.createElement('input')
+      const parent = document.createElement('form')
+      parent.appendChild(node)
+      expect(nodeOrAncestorsShouldHaveInputIgnored(node)).toBeFalsy()
+    })
+    it('considers a DOM Element with a parent node with a dd-privacy="input-ignored" attribute to be ignored', () => {
+      const node = document.createElement('input')
+      const parent = document.createElement('form')
+      parent.setAttribute('data-dd-privacy', 'input-ignored')
+      parent.appendChild(node)
+      expect(nodeOrAncestorsShouldHaveInputIgnored(node)).toBeTruthy()
+    })
+    it('considers a DOM Element with a parent node with a dd-privacy-input-ignored class to be ignored', () => {
+      const node = document.createElement('input')
+      const parent = document.createElement('form')
+      parent.className = 'dd-privacy-input-ignored'
+      parent.appendChild(node)
+      expect(nodeOrAncestorsShouldHaveInputIgnored(node)).toBeTruthy()
+    })
+    it('considers a DOM Document as not to be ignored', () => {
+      expect(nodeOrAncestorsShouldHaveInputIgnored(document)).toBeFalsy()
+    })
+  })
+})

packages/rum-recorder/src/domain/privacy.ts

@@ -0,0 +1,70 @@
+const PRIVACY_ATTR_NAME = 'data-dd-privacy'
+const PRIVACY_ATTR_VALUE_HIDDEN = 'hidden'
+const PRIVACY_ATTR_VALUE_INPUT_IGNORED = 'input-ignored'
+
+const PRIVACY_CLASS_HIDDEN = 'dd-privacy-hidden'
+const PRIVACY_CLASS_INPUT_IGNORED = 'dd-privacy-input-ignored'
+
+// PRIVACY_INPUT_TYPES_TO_IGNORE defines the input types whose input
+// events we want to ignore by default, as they often contain PII.
+// TODO: We might want to differentiate types to fully ignore vs types
+// to obfuscate.
+const PRIVACY_INPUT_TYPES_TO_IGNORE = ['email', 'password', 'tel']
+
+// Returns true if the given DOM node should be hidden. Ancestors
+// are not checked.
+export function nodeShouldBeHidden(node: Node): boolean {
+  return (
+    isElement(node) &&
+    (node.getAttribute(PRIVACY_ATTR_NAME) === PRIVACY_ATTR_VALUE_HIDDEN ||
+      node.classList.contains(PRIVACY_CLASS_HIDDEN))
+  )
+}
+
+// Returns true if the given DOM node should be hidden, recursively
+// checking its ancestors.
+export function nodeOrAncestorsShouldBeHidden(node: Node | null): boolean {
+  if (!node) {
+    return false
+  }
+
+  if (nodeShouldBeHidden(node)) {
+    return true
+  }
+
+  return nodeOrAncestorsShouldBeHidden(node.parentNode)
+}
+
+// Returns true if the given DOM node should have it's input events
+// ignored. Ancestors are not checked.
+export function nodeShouldHaveInputIgnored(node: Node): boolean {
+  return (
+    isElement(node) &&
+    (node.getAttribute(PRIVACY_ATTR_NAME) === PRIVACY_ATTR_VALUE_INPUT_IGNORED ||
+      node.classList.contains(PRIVACY_CLASS_INPUT_IGNORED) ||
+      // if element is an HTMLInputElement, check the type is not to be ignored by default
+      (isInputElement(node) && PRIVACY_INPUT_TYPES_TO_IGNORE.includes(node.type)))
+  )
+}
+
+// Returns true if the given DOM node should have it's input events
+// ignored, recursively checking its ancestors.
+export function nodeOrAncestorsShouldHaveInputIgnored(node: Node | null): boolean {
+  if (!node) {
+    return false
+  }
+
+  if (nodeShouldHaveInputIgnored(node)) {
+    return true
+  }
+
+  return nodeOrAncestorsShouldHaveInputIgnored(node.parentNode)
+}
+
+function isElement(node: Node): node is Element {
+  return node.nodeType === node.ELEMENT_NODE
+}
+
+function isInputElement(elem: Element): elem is HTMLInputElement {
+  return elem.tagName === 'INPUT'
+}

packages/rum-recorder/src/domain/rrweb-snapshot/snapshot.ts

@@ -1,5 +1,5 @@
 /* eslint-disable no-underscore-dangle */
-import { forEach } from '../rrweb/utils'
+import { nodeShouldBeHidden } from '../privacy'
 import {
   SerializedNode,
   SerializedNodeWithId,
@@ -159,41 +159,16 @@ export function transformAttribute(doc: Document, name: string, value: string):
   return value
 }
 
-export function isBlockedElement(
-  element: HTMLElement,
-  blockClass: string | RegExp,
-  blockSelector: string | null
-): boolean {
-  if (typeof blockClass === 'string') {
-    if (element.classList.contains(blockClass)) {
-      return true
-    }
-  } else {
-    forEach(element.classList, (className: string) => {
-      if (blockClass.test(className)) {
-        return true
-      }
-    })
-  }
-  if (blockSelector) {
-    return element.matches(blockSelector)
-  }
-
-  return false
-}
-
 function serializeNode(
   n: Node,
   options: {
     doc: Document
-    blockClass: string | RegExp
-    blockSelector: string | null
     inlineStylesheet: boolean
     maskInputOptions: MaskInputOptions
     recordCanvas: boolean
   }
 ): SerializedNode | false {
-  const { doc, blockClass, blockSelector, inlineStylesheet, maskInputOptions = {}, recordCanvas } = options
+  const { doc, inlineStylesheet, maskInputOptions = {}, recordCanvas } = options
   switch (n.nodeType) {
     case n.DOCUMENT_NODE:
       return {
@@ -208,7 +183,7 @@ function serializeNode(
         systemId: (n as DocumentType).systemId,
       }
     case n.ELEMENT_NODE:
-      const needBlock = isBlockedElement(n as HTMLElement, blockClass, blockSelector)
+      const shouldBeHidden = nodeShouldBeHidden(n)
       const tagName = getValidTagName((n as HTMLElement).tagName)
       let attributes: Attributes = {}
       for (const { name, value } of Array.from((n as HTMLElement).attributes)) {
@@ -276,7 +251,7 @@ function serializeNode(
       if ((n as HTMLElement).scrollTop) {
         attributes.rr_scrollTop = (n as HTMLElement).scrollTop
       }
-      if (needBlock) {
+      if (shouldBeHidden) {
         const { width, height } = (n as HTMLElement).getBoundingClientRect()
         attributes = {
           class: attributes.class,
@@ -290,7 +265,7 @@ function serializeNode(
         attributes,
         childNodes: [],
         isSVG: isSVGElement(n as Element) || undefined,
-        needBlock,
+        shouldBeHidden,
       }
     case n.TEXT_NODE:
       // The parent node may not be a html element which has a tagName attribute.
@@ -407,8 +382,6 @@ export function serializeNodeWithId(
   options: {
     doc: Document
     map: IdNodeMap
-    blockClass: string | RegExp
-    blockSelector: string | null
     skipChild: boolean
     inlineStylesheet: boolean
     maskInputOptions?: MaskInputOptions
@@ -420,8 +393,6 @@ export function serializeNodeWithId(
   const {
     doc,
     map,
-    blockClass,
-    blockSelector,
     skipChild = false,
     inlineStylesheet = true,
     maskInputOptions = {},
@@ -431,8 +402,6 @@ export function serializeNodeWithId(
   let { preserveWhiteSpace = true } = options
   const _serializedNode = serializeNode(n, {
     doc,
-    blockClass,
-    blockSelector,
     inlineStylesheet,
     maskInputOptions,
     recordCanvas,
@@ -466,9 +435,9 @@ export function serializeNodeWithId(
   map[id] = n as INode
   let recordChild = !skipChild
   if (serializedNode.type === NodeType.Element) {
-    recordChild = recordChild && !serializedNode.needBlock
+    recordChild = recordChild && !serializedNode.shouldBeHidden
     // this property was not needed in replay side
-    delete serializedNode.needBlock
+    delete serializedNode.shouldBeHidden
   }
   if ((serializedNode.type === NodeType.Document || serializedNode.type === NodeType.Element) && recordChild) {
     if (
@@ -483,8 +452,6 @@ export function serializeNodeWithId(
       const serializedChildNode = serializeNodeWithId(childN, {
         doc,
         map,
-        blockClass,
-        blockSelector,
         skipChild,
         inlineStylesheet,
         maskInputOptions,
@@ -503,22 +470,13 @@ export function serializeNodeWithId(
 export function snapshot(
   n: Document,
   options?: {
-    blockClass?: string | RegExp
     inlineStylesheet?: boolean
     maskAllInputs?: boolean | MaskInputOptions
     slimDOM?: boolean | SlimDOMOptions
     recordCanvas?: boolean
-    blockSelector?: string | null
   }
 ): [SerializedNodeWithId | null, IdNodeMap] {
-  const {
-    blockClass = 'rr-block',
-    inlineStylesheet = true,
-    recordCanvas = false,
-    blockSelector = null,
-    maskAllInputs = false,
-    slimDOM = false,
-  } = options || {}
+  const { inlineStylesheet = true, recordCanvas = false, maskAllInputs = false, slimDOM = false } = options || {}
   const idNodeMap: IdNodeMap = {}
   const maskInputOptions: MaskInputOptions =
     maskAllInputs === true
@@ -565,8 +523,6 @@ export function snapshot(
     serializeNodeWithId(n, {
       doc: n,
       map: idNodeMap,
-      blockClass,
-      blockSelector,
       skipChild: false,
       inlineStylesheet,
       maskInputOptions,

packages/rum-recorder/src/domain/rrweb-snapshot/types.ts

@@ -28,7 +28,7 @@ export type ElementNode = {
   attributes: Attributes
   childNodes: SerializedNodeWithId[]
   isSVG?: true
-  needBlock?: boolean
+  shouldBeHidden?: boolean
 }
 
 export type TextNode = {

packages/rum-recorder/src/domain/rrweb/mutation.spec.ts

@@ -29,8 +29,6 @@ describe('MutationBuffer', () => {
     mutationBuffer = new MutationBuffer()
     mutationBuffer.init(
       mutationCallbackSpy,
-      DEFAULT_OPTIONS.blockClass,
-      DEFAULT_OPTIONS.blockSelector,
       DEFAULT_OPTIONS.inlineStylesheet,
       DEFAULT_OPTIONS.maskInputOptions,
       DEFAULT_OPTIONS.recordCanvas,