[Feature Request]: ability to mask attributes

[pauldambra]

Preflight Checklist

• I have searched the issue tracker for a feature request that matches the one I want to file, without success.

What package is this feature request for?

rrweb

Problem Description

see https://posthog.com/questions/scrubbing-html-attributes-from-dom-in-session-recordings

where a customer asks us for the ability to mask the content of an element's attribute - in that case aria-label might contain PII and they'd like to ensure it isn't captured

we can mask an element's text or an input's value

i believe it isn't possible to mask an element's attribute

Proposed Solution

addition of a function maskElement(element: Element) => Element | null

this would run ahead of other processing of a node and let you carry out arbitrary masking
for this case you could iterate and mask attributes
in practice it lets you carry out arbitrary alteration of the element

Alternatives Considered

if arbitrary alterations of the captured element are undesirable

then add a maskAttributes(attributes: SomeType[]) => SomeType[] | null

Additional Information

No response

[eoghanmurray]

Are these attributes visible anywhere during replay?
It's possible to have PII in comments, in headings etc., so it's hard to be exhaustive, but yeah aria attributes on s might be worthwhile to target with masking.

[pauldambra]

Are these attributes visible anywhere during replay

In PostHog (at least) you can view the DOM at any point using an "inspect DOM" tool, and more generally using dev tools in the browser.

For someone very safety conscious it means they can't avoid storing PII in a third party system. Since they can only scrub select parts of the DOM.

We've added a before_send function to the posthog js sdk so someone could go into each snapshot event and traverse the snapshot replacing arbitrary values, so we have a workaround (although a relatively complicated one) if someone really needs it.

Much like the before_send I'd suggest that maskElement(element: Element) => Element | null ends up with a smaller surface area for the API (instead of maskAttribute, maskComment etc - although harder for someone to use ⚖️

[eoghanmurray]

I'm also thinking that assuming these are non-display, and aren't used by CSS to alter display, they should be tackled by the slimDOM config so that the attributes are removed entirely. Any thoughts on that?

[eoghanmurray]

So I don't think aria-label is a candidate for automatic masking based on description in https://developer.mozilla.org/en-US/docs/Web/Accessibility/ARIA/Attributes/aria-label (it doesn't appear likely to be widely used for PII, but rather to describe a UI element).

Had your user already used either of the maskInput or maskText to successfully target the same element that had the aria-label attribute on it? It isn't clear to me from reading that bug report.