chore: update sanitization spec

[david-luna]

This PR tries to clarify in the spec who the agents are already dealing with request cookie info and sanitization. Also it tries to remove ambiguity on how cookie data is placed into transaction.context.request to avoid data redundancy on the payloads sent to APM server

• May the instrumentation collect sensitive information, such as secrets or PII (ex. in headers)?
  • [ ] Yes
  • [ ] Add a section to the spec how agents should apply sanitization (such as sanitize_field_names)
  • [ ] No
  • [ ] Why?
  • [x] n/a
• [x] Create PR as draft
• [x] Approval by at least one other agent
• [x] Mark as Ready for Review (automatically requests reviews from all agents and PM via CODEOWNERS)
  • Remove PM from reviewers if impact on product is negligible
  • Remove agents from reviewers if the change is not relevant for them
• [ ] Approved by at least 2 agents + PM (if relevant)
• [ ] Merge after 7 days passed without objections \ To auto-merge the PR, add /schedule YYYY-MM-DD to the PR description.
• [ ] Create implementation issues through the meta issue template (this will automate issue creation for individual agents)
• [x] ~If this spec adds a new dynamic config option, [add it to central config]~(https://github.com/elastic/apm/blob/main/specs/agents/configuration.md#adding-a-new-configuration-option).

[gregkalapos]

A very related topic is that currently only set-cookie is in the default list of sanitize_field_names (defined just above the changed lines). I suggest we consider adding cookie to that list.

[felixbarny]

I suggest we consider adding cookie to that list.

I think that's handled by agents removing the cookie header in favor of the transaction.context.request.cookies field and also applying transaction.context.request.cookies for that dedicated cookie field. Not sure if that's a cross-agent thing but that's what the Java agent does: https://github.com/elastic/apm-agent-java/blob/main/apm-agent-core/src/main/java/co/elastic/apm/agent/impl/context/SanitizingWebProcessor.java

[david-luna]

Not all agents behave the same. In this discussion we found out implementations differ. In summary:

• Java agent removes the cookie header and sets transaction.context.request.cookies
• Python agent keeps cookie header redacting its values and sets transaction.context.request.cookies
• Ruby agent does the same as Python
• .NET agent keeps the cookie header and sets transaction.context.request.cookies
• NodeJS agent keeps cookie header completely redacted and sets transaction.context.request.cookies

So implementations that have both cookie header and transaction.context.request.cookies may send duplicated info. The cookie values that are not redacted. The 2nd paragraph of this PR wants to spec to avoid this redundancy

[trentm]

Gah! Sorry I merged this instead of "approving" it. My bad.

That said, it has the required set of approvals and just hasn't waited the mandated 7 days. I don't see a reason to revert it to just merge it a few days later.

@david-luna Did we happen to know off hand which, if any, APM agents currently need to change their behaviour -- i.e. those that should get an implementation issue?