Add language about abuse and risks for context and sampling flag entering/leaving organizational boundaries via public APIs, outbound calls #55
Description
As discussed just now at the Distributed Tracing Workshop, it would be good to have some language in the spec around Trace-Context, Trace-Context-Ext, and Correlation-Context headers that come from callers outside your organization, or are unintentionally propagated out to HTTP servers outside of your organization's administrative control.
For example, if you have enabled tracing on a service with a public API and naïvely continue any trace with the sampling flag set using the trace ID provided, a malicious attacker (or simply any third party using the HTTP headers) could overwhelm your application with tracing overhead, forge trace ID collisions that make your monitoring data unusable, or run up your tracing bill with your SaaS tracing vendor.
Similarly, if you automatically propagate sensitive baggage values in your Correlation-Context to all HTTP requests your services make, you may be revealing sensitive information to external HTTP APIs services outside your organization's boundary. Or your vendor/implementor may reveal something about your organization in the Trace-Context-Ext header.
AWS X-Ray's docs have a little blurb about this:
Tracing Header Security
A tracing header can originate from the X-Ray SDK, an AWS service, or the client request. Your application can remove X-Amzn-Trace-Id from incoming requests to avoid issues caused by users adding trace IDs or sampling decisions to their requests.