Question: Is Logging Authorization Data in StorageRequest.cs a Concern for Web Applications?

[ibrahimberb]

Dear Maintainers,

Thank you for your work on the StorageServices library. I know this is a bit old, but in the AuthorizeRequest method of StorageRequest.cs, there's a Debug.Log statement that outputs the Authorization header and stringToSign. When deploying our Unity application to WebGL, we observed these details appearing in the browser's console logs.

Code Reference:

Debug.Log("Authorized request url:" + this.Request.url + 
          "\n\nauthorization: \"" + authorization + "\"" + 
          "\nx-ms-date: " + authHeaders.MSDate() + 
          "\nstringToSign:'" + stringToSign + "'");

Given that Unity WebGL writes all logging information to the browser's JavaScript console, could this pose a security concern for web applications? Would you recommend modifying or commenting out this log statement in (not-so-critical) production builds?

Here is an example log that I see in my browser. Note that in my application, I communicate with the database multiple times and therefore multiple authorization. This SharedKey XXXXXXXX: XXXXXXXX changes every time an authentication is being made.

Thank you for your guidance.