privacy-review

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Privacy Review

隐私审查

Evaluate how your application handles personal data — where it's collected, processed, stored, transmitted, and potentially leaked. This review catches privacy issues that code review alone misses: runtime data flows, third-party tracking, console/network leaks, and consent implementation gaps.

评估您的应用程序如何处理个人数据——包括数据的收集、处理、存储、传输以及潜在泄露情况。本次审查能发现仅通过代码审查无法察觉的隐私问题：运行时数据流、第三方追踪、控制台/网络泄露以及授权实施漏洞。

When to use

适用场景

Use

/privacy-review

when:

Your app collects any personal information (names, emails, addresses, etc.)
Before launching in GDPR/CCPA jurisdictions
Adding third-party analytics, tracking, or marketing tools
After a data incident or privacy complaint
Building features that handle sensitive data (health, financial, biometric)
Integrating with third-party APIs that receive user data

在以下场景使用

/privacy-review

：

您的应用收集任何个人信息（姓名、邮箱、地址等）
在GDPR/CCPA管辖区域上线应用前
添加第三方分析、追踪或营销工具时
发生数据事件或收到隐私投诉后
构建处理敏感数据（健康、财务、生物识别）的功能时
集成接收用户数据的第三方API时

Standards Referenced

参考标准

GDPR — EU General Data Protection Regulation (Articles 5, 6, 7, 12-22, 25, 32)
CCPA/CPRA — California Consumer Privacy Act
OWASP Privacy Risks Top 10
NIST Privacy Framework
ISO 27701 — Privacy Information Management
ePrivacy Directive — Cookie consent requirements

GDPR — 欧盟通用数据保护条例（第5、6、7、12-22、25、32条）
CCPA/CPRA — 加州消费者隐私法案
OWASP Privacy Risks Top 10
NIST Privacy Framework
ISO 27701 — 隐私信息管理
ePrivacy Directive — Cookie授权要求

Phase Overview

阶段概述

Phase 1: EDUCATE   → Privacy principles and what we check
Phase 2: SCOPE     → Map data flows, PII types, third parties
Phase 3: ANALYZE   → Browser-based validation of privacy practices
Phase 4: REPORT    → Findings with evidence and confidence scores
Phase 5: REMEDIATE → Fix guidance + YAML regression tests

Phase 1: EDUCATE   → 隐私原则及审查内容说明
Phase 2: SCOPE     → 梳理数据流、PII类型、第三方服务
Phase 3: ANALYZE   → 基于浏览器验证隐私实践
Phase 4: REPORT    → 包含证据和置信度评分的审查结果
Phase 5: REMEDIATE → 修复指南 + YAML回归测试

Phase 1: Educate

第一阶段：认知教育

Why this matters: GDPR fines reached €2.1B in 2023. CCPA gives consumers the right to sue for data breaches ($100-$750 per consumer per incident). Beyond compliance, privacy violations erode user trust — 79% of consumers say they'd stop engaging with a brand after a privacy breach. Many privacy issues are invisible in code review but obvious in runtime behavior.

This review focuses on observable runtime privacy behavior — what actually happens in the browser when users interact with your app.

重要性说明： 2023年GDPR罚款总额达21亿欧元。CCPA赋予消费者针对数据泄露提起诉讼的权利（每起事件每位消费者可获100-750美元赔偿）。除合规要求外，隐私违规会损害用户信任——79%的消费者表示在遭遇隐私泄露后会停止与品牌互动。许多隐私问题在代码审查中不可见，但在运行时行为中会暴露无遗。

本次审查聚焦可观测的运行时隐私行为——即用户与应用交互时浏览器中的实际操作。

Phase 2: Scope

第二阶段：范围界定

Gather context

收集上下文信息

Auto-detect from codebase:
- Forms that collect user input (registration, profile, payment, contact)
- Analytics/tracking scripts (Google Analytics, Mixpanel, Segment, Hotjar, etc.)
- Cookie-setting code and cookie consent mechanisms
- Logging statements that might include PII
- API calls that transmit user data
- Third-party SDKs and their data sharing behavior
- Privacy policy and terms of service pages
Ask the user (one at a time):
- Target URL: Where is the app running?
- Data types: What personal data does your app collect? (auto-detected, confirm)
- Jurisdictions: Where are your users? (determines GDPR/CCPA/other applicability)
- Third parties: What analytics/tracking/marketing tools do you use? (auto-detected, confirm)
- Known concerns: Any specific privacy areas you're worried about? (optional)
Build data flow map:
- PII entry points (forms, URL params, imports)
- PII processing (client-side or server-side)
- PII storage (cookies, localStorage, server DB)
- PII transmission (API calls, third-party scripts)
- PII display (profile pages, admin panels, logs)

从代码库自动检测：
- 收集用户输入的表单（注册、个人资料、支付、联系表单）
- 分析/追踪脚本（Google Analytics、Mixpanel、Segment、Hotjar等）
- 设置Cookie的代码及Cookie授权机制
- 可能包含PII的日志语句
- 传输用户数据的API调用
- 第三方SDK及其数据共享行为
- 隐私政策和服务条款页面
向用户询问（逐一进行）：
- 目标URL：应用部署在哪里？
- 数据类型：您的应用收集哪些个人数据？（已自动检测，请确认）
- 管辖区域：您的用户分布在哪些地区？（决定GDPR/CCPA等法规的适用性）
- 第三方服务：您使用哪些分析/追踪/营销工具？（已自动检测，请确认）
- 已知问题：您是否有特定担忧的隐私领域？（可选）
构建数据流图：
- PII入口点（表单、URL参数、导入数据）
- PII处理（客户端或服务器端）
- PII存储（Cookie、localStorage、服务器数据库）
- PII传输（API调用、第三方脚本）
- PII展示（个人资料页面、管理面板、日志）

Phase 3: Analyze

第三阶段：分析验证

Open a browser session with

new_session

using

record_evidence: true

. Run all applicable check categories.

开启

new_session

浏览器会话并设置

record_evidence: true

。运行所有适用的检查类别。

Category A: Data Collection & Consent (CON)

类别A：数据收集与授权（CON）

Check ID	Check	Standard	Method
CON-01	Cookie consent banner shown before setting non-essential cookies	ePrivacy / GDPR Art.7	Load page, check if tracking cookies exist before consent
CON-02	No tracking scripts fire before consent	ePrivacy / GDPR	Monitor network requests on fresh page load (no consent given)
CON-03	Consent is granular (not just "accept all")	GDPR Art.7	Check consent UI for category-level options
CON-04	Rejecting consent actually prevents tracking	GDPR Art.7	Reject all, verify no tracking cookies/requests
CON-05	Consent preference is persisted and respected	GDPR Art.7	Set preference, reload page, verify it's remembered
CON-06	Consent can be withdrawn (modify/revoke)	GDPR Art.7(3)	Find mechanism to change consent after initial choice
CON-07	Privacy policy is accessible and linked	GDPR Art.12-14	Check for privacy policy link in footer/consent banner
CON-08	Data collection is proportionate (no unnecessary fields)	GDPR Art.5(1)(c)	Review forms for fields not needed for stated purpose

Browser validation: Load page in fresh session (no cookies). Use

get_browser_console_logs

and monitor network via JavaScript. Check cookies before and after consent interaction. Use

act

to interact with consent banner.

检查ID	检查内容	参考标准	验证方法
CON-01	设置非必要Cookie前显示Cookie授权横幅	ePrivacy / GDPR Art.7	加载页面，检查授权前是否存在追踪Cookie
CON-02	授权前无追踪脚本触发	ePrivacy / GDPR	在全新页面加载时监控网络请求（未授予授权）
CON-03	授权支持精细化设置（不只是“全部接受”）	GDPR Art.7	检查授权UI是否提供分类选项
CON-04	拒绝授权可实际阻止追踪行为	GDPR Art.7	选择全部拒绝，验证无追踪Cookie/请求
CON-05	授权偏好可持久化并被尊重	GDPR Art.7	设置偏好后重新加载页面，验证偏好被保留
CON-06	可撤回授权（修改/取消）	GDPR Art.7(3)	查找初始选择后修改授权的机制
CON-07	隐私政策可访问且有链接	GDPR Art.12-14	检查页脚/授权横幅中的隐私政策链接
CON-08	数据收集符合比例原则（无不必要字段）	GDPR Art.5(1)(c)	检查表单是否包含非必要字段

浏览器验证： 在全新会话（无Cookie）中加载页面。使用

get_browser_console_logs

并通过JavaScript监控网络。检查授权交互前后的Cookie。使用

act

与授权横幅交互。

Category B: PII Leakage Detection (LEAK)

类别B：PII泄露检测（LEAK）

Check ID	Check	Standard	Method
LEAK-01	No PII in URL parameters	OWASP Privacy #1	Check URLs after form submissions, navigation
LEAK-02	No PII in browser console logs	OWASP Privacy #4	Check `get_browser_console_logs` for email, names, IDs
LEAK-03	No PII in localStorage/sessionStorage	Data minimization	Inspect client storage for personal data
LEAK-04	No PII in page source/comments	Information leak	Check HTML comments, hidden fields
LEAK-05	No PII in error messages	OWASP Privacy #7	Trigger errors, check for user data in messages
LEAK-06	No PII in Referer headers	OWASP Privacy	Check Referrer-Policy, inspect outbound requests
LEAK-07	No PII in meta tags or Open Graph	Information leak	Check `<meta>` for user-specific data on shared pages
LEAK-08	No PII in cached responses (browser cache)	Data minimization	Check Cache-Control headers on pages with PII
LEAK-09	No PII leaked to third-party scripts	GDPR Art.28	Monitor data sent to analytics/tracking endpoints
LEAK-10	Autocomplete appropriate on sensitive fields	Usability/Privacy	Check `autocomplete` attribute on password, CC fields

Browser validation: Navigate through user flows. After each action, check URLs, console logs, storage, and network requests for PII patterns (email regex, phone patterns, SSN patterns, etc.). Use JavaScript to inspect

performance.getEntries()

for request URLs.

检查ID	检查内容	参考标准	验证方法
LEAK-01	URL参数中无PII	OWASP Privacy #1	检查表单提交、导航后的URL
LEAK-02	浏览器控制台日志中无PII	OWASP Privacy #4	检查 `get_browser_console_logs` 中的邮箱、姓名、ID等信息
LEAK-03	localStorage/sessionStorage中无PII	数据最小化原则	检查客户端存储中的个人数据
LEAK-04	页面源码/注释中无PII	信息泄露防护	检查HTML注释、隐藏字段
LEAK-05	错误信息中无PII	OWASP Privacy #7	触发错误，检查信息中是否包含用户数据
LEAK-06	Referer请求头中无PII	OWASP Privacy	检查Referrer-Policy，查看出站请求
LEAK-07	元标签或Open Graph中无PII	信息泄露防护	检查共享页面的 `<meta>` 标签中是否包含用户特定数据
LEAK-08	缓存响应（浏览器缓存）中无PII	数据最小化原则	检查含PII页面的Cache-Control请求头
LEAK-09	无PII泄露至第三方脚本	GDPR Art.28	监控发送至分析/追踪端点的数据
LEAK-10	敏感字段自动补全设置合理	可用性/隐私性	检查密码、信用卡字段的 `autocomplete` 属性

浏览器验证： 遍历用户流程。每次操作后，检查URL、控制台日志、存储和网络请求中的PII模式（邮箱正则、电话格式、社保号码格式、测试账户姓名等）。使用JavaScript检查

performance.getEntries()

中的请求URL。

Category C: Third-Party Tracking Inventory (TRACK)

类别C：第三方追踪清单（TRACK）

Check ID	Check	Standard	Method
TRACK-01	Inventory all third-party scripts	GDPR Art.30	List all external script sources and their domains
TRACK-02	All third-party scripts are documented	Transparency	Cross-reference with privacy policy
TRACK-03	No unknown/unexpected tracking pixels	Privacy	Check for 1x1 images, beacon requests
TRACK-04	Third-party cookies inventory	ePrivacy	List all cookies by domain
TRACK-05	No fingerprinting scripts	Privacy	Check for canvas fingerprint, WebGL, AudioContext probing
TRACK-06	Data sent to third parties is proportionate	GDPR Art.5(1)(c)	Inspect payloads to analytics endpoints
TRACK-07	Tracking respects Do-Not-Track header	Best practice	Set DNT header, check if tracking still fires

Browser validation: Load page with fresh session. Use JavaScript to enumerate all

<script>

sources, all cookie domains, all network requests to external domains. Check for fingerprinting API usage (Canvas, WebGL, AudioContext).

检查ID	检查内容	参考标准	验证方法
TRACK-01	梳理所有第三方脚本清单	GDPR Art.30	列出所有外部脚本来源及其域名
TRACK-02	所有第三方脚本均已记录	透明度要求	与隐私政策交叉核对
TRACK-03	无未知/意外追踪像素	隐私防护	检查1x1图片、信标请求
TRACK-04	第三方Cookie清单	ePrivacy	按域名列出所有Cookie
TRACK-05	无指纹识别脚本	隐私防护	检查是否存在画布指纹、WebGL、AudioContext探测
TRACK-06	发送至第三方的数据符合比例原则	GDPR Art.5(1)(c)	检查分析端点的负载内容
TRACK-07	追踪行为尊重Do-Not-Track请求头	最佳实践	设置DNT请求头，检查追踪是否仍触发

浏览器验证： 在全新会话中加载页面。使用JavaScript枚举所有

<script>

来源、所有Cookie域名、所有发往外域的网络请求。检查是否使用指纹识别API（Canvas、WebGL、AudioContext）。

Category D: Data Storage & Retention (STOR)

类别D：数据存储与留存（STOR）

Check ID	Check	Standard	Method
STOR-01	Sensitive data encrypted in transit (HTTPS)	GDPR Art.32	Check all resource URLs use HTTPS
STOR-02	Session data has appropriate expiry	Data minimization	Check cookie/token expiration times
STOR-03	No excessive data in cookies	Data minimization	Check cookie sizes and contents
STOR-04	Client-side storage is minimal	Data minimization	Audit localStorage/sessionStorage contents
STOR-05	Sensitive form data not persisted in history	Privacy	Check if sensitive forms use POST, not GET
STOR-06	Browser back button doesn't show sensitive data after logout	Session management	Logout, press back, check for cached sensitive content

Browser validation: Inspect all cookies (name, value, domain, expiry, flags). Check localStorage/sessionStorage. Test logout + back button behavior.

检查ID	检查内容	参考标准	验证方法
STOR-01	敏感数据传输加密（HTTPS）	GDPR Art.32	检查所有资源URL是否使用HTTPS
STOR-02	会话数据过期时间合理	数据最小化原则	检查Cookie/令牌的过期时间
STOR-03	Cookie中无过多数据	数据最小化原则	检查Cookie的大小和内容
STOR-04	客户端存储内容最小化	数据最小化原则	审核localStorage/sessionStorage的内容
STOR-05	敏感表单数据未留存至历史记录	隐私防护	检查敏感表单是否使用POST而非GET方法
STOR-06	登出后浏览器返回按钮不显示敏感数据	会话管理	登出后点击返回按钮，检查是否缓存敏感内容

浏览器验证： 检查所有Cookie（名称、值、域名、过期时间、标志）。检查localStorage/sessionStorage。测试登出+返回按钮的行为。

Category E: User Rights Implementation (RIGHTS)

类别E：用户权利实现（RIGHTS）

Check ID	Check	Standard	Method
RIGHTS-01	Users can access their data (data export)	GDPR Art.15 / CCPA	Find and test data export feature
RIGHTS-02	Users can delete their account/data	GDPR Art.17	Find and verify account deletion flow
RIGHTS-03	Users can update their personal information	GDPR Art.16	Test profile edit functionality
RIGHTS-04	Opt-out mechanism for data selling (CCPA)	CCPA §1798.120	Check for "Do Not Sell" link
RIGHTS-05	Account deletion is complete (not just deactivation)	GDPR Art.17	Delete account, verify data is removed (check profile URL)

Browser validation: Navigate to account settings, test data export, profile editing, and account deletion flows. Verify each right is accessible and functional.

检查ID	检查内容	参考标准	验证方法
RIGHTS-01	用户可访问自身数据（数据导出）	GDPR Art.15 / CCPA	查找并测试数据导出功能
RIGHTS-02	用户可删除账户/数据	GDPR Art.17	查找并验证账户删除流程
RIGHTS-03	用户可更新个人信息	GDPR Art.16	测试个人资料编辑功能
RIGHTS-04	数据售卖退出机制（CCPA）	CCPA §1798.120	检查“Do Not Sell”链接
RIGHTS-05	账户删除彻底（非仅停用）	GDPR Art.17	删除账户，验证数据已移除（检查个人资料URL）

浏览器验证： 导航至账户设置，测试数据导出、资料编辑和账户删除流程。验证每项权利均可访问且功能正常。

Phase 4: Report

第四阶段：生成报告

Generate a structured report saved to

shiplight/reports/privacy-review-{date}.md

markdown

undefined

生成结构化报告并保存至

shiplight/reports/privacy-review-{date}.md

：

markdown

undefined

Privacy Review Report

隐私审查报告

Date: {date} URL: {url} PII types handled: {list} Jurisdictions: {GDPR, CCPA, etc.} Third parties detected: {count and list}

日期: {date} URL: {url} 处理的PII类型: {list} 管辖区域: {GDPR, CCPA, etc.} 检测到的第三方服务: {count and list}

Overall Score: {X}/10 | Confidence: {X}%

整体评分: {X}/10 | 置信度: {X}%

Score Breakdown

评分明细

Category	Score	Findings
Consent (CON)	5/10	1 critical, 2 high
PII Leakage (LEAK)	7/10	1 high, 1 medium
Tracking Inventory (TRACK)	4/10	2 high, 1 medium
Data Storage (STOR)	8/10	1 medium
User Rights (RIGHTS)	6/10	1 high, 1 medium

类别	评分	发现问题
授权（CON）	5/10	1个严重问题，2个高风险问题
PII泄露（LEAK）	7/10	1个高风险问题，1个中风险问题
追踪清单（TRACK）	4/10	2个高风险问题，1个中风险问题
数据存储（STOR）	8/10	1个中风险问题
用户权利（RIGHTS）	6/10	1个高风险问题，1个中风险问题

Data Flow Map

数据流图

(visual representation of PII flows through the application)

(应用中PII流转的可视化展示)

Third-Party Tracking Inventory

第三方追踪清单

Domain	Type	Cookies Set	Data Sent	Consent Required
google-analytics.com	Analytics	_ga, _gid	Page URL, user agent	Yes
...

域名	类型	设置的Cookie	发送的数据	是否需要授权
google-analytics.com	分析工具	_ga, _gid	页面URL、用户代理	是
...

Findings

问题发现

(structured findings with evidence, severity, confidence)

undefined

(包含证据、严重程度、置信度的结构化内容)

undefined

Confidence Scoring

置信度评分

90-100%: Browser-validated — observed PII in console, URL, or network request
70-89%: Strong evidence from storage/header inspection
50-69%: Code-level pattern match, may not manifest at runtime
Below 50%: Don't report

90-100%: 浏览器验证——在控制台、URL或网络请求中观测到PII
70-89%: 存储/请求头检查提供的有力证据
50-69%: 代码层面模式匹配，可能未在运行时显现
低于50%: 不纳入报告

Phase 5: Remediate

第五阶段：修复整改

1. Fix guidance (example)

1. 修复指南（示例）

markdown

undefined

markdown

undefined

LEAK-01: Email address in URL parameter after form submit

LEAK-01: 表单提交后邮箱地址出现在URL参数中

Risk: PII in URL is logged by servers, proxies, browser history, and analytics File: src/pages/search.tsx:34 Current:

router.push(

/results?email=${email}

Fix: Use POST request or session state

```
router.push('/results')
```
with email in request body or session
Add
```
Referrer-Policy: no-referrer
```
header as defense-in-depth

undefined

风险: URL中的PII会被服务器、代理、浏览器历史记录和分析工具记录 文件: src/pages/search.tsx:34 当前实现:

router.push(

/results?email=${email}

修复方案: 使用POST请求或会话状态

```
router.push('/results')
```
，将邮箱放入请求体或会话中
添加
```
Referrer-Policy: no-referrer
```
请求头作为深度防御措施

undefined

2. YAML regression test

2. YAML回归测试

yaml

- name: leak-01-no-pii-in-urls
  description: Verify email addresses are not exposed in URL parameters
  severity: high
  standard: OWASP-Privacy-1
  steps:
    - URL: /search
    - intent: Enter email in search form
      action: fill
      locator: "getByLabel('Email')"
      value: "test@example.com"
    - intent: Submit the search form
      action: click
      locator: "getByRole('button', { name: 'Search' })"
    - WAIT_UNTIL: Search results are displayed
      timeout_seconds: 15
    - description: Assert no email address appears in the URL
      js: |
        const url = page.url();
        if (/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/.test(url)) {
          throw new Error(`PII found in URL: ${url}`);
        }
    - VERIFY: No email addresses appear in the browser URL

Save all YAML tests to

shiplight/tests/privacy-review.test.yaml

yaml

- name: leak-01-no-pii-in-urls
  description: Verify email addresses are not exposed in URL parameters
  severity: high
  standard: OWASP-Privacy-1
  steps:
    - URL: /search
    - intent: Enter email in search form
      action: fill
      locator: "getByLabel('Email')"
      value: "test@example.com"
    - intent: Submit the search form
      action: click
      locator: "getByRole('button', { name: 'Search' })"
    - WAIT_UNTIL: Search results are displayed
      timeout_seconds: 15
    - description: Assert no email address appears in the URL
      js: |
        const url = page.url();
        if (/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/.test(url)) {
          throw new Error(`PII found in URL: ${url}`);
        }
    - VERIFY: No email addresses appear in the browser URL

将所有YAML测试保存至

shiplight/tests/privacy-review.test.yaml

。

Tips

提示

Use a fresh browser session (no stored cookies) to test consent behavior accurately
PII patterns to search for: email (
```
@
```
), phone (
```
\d{3}[-.]?\d{3}[-.]?\d{4}
```
), SSN, credit card numbers, names from test accounts
Third-party scripts often load more scripts — check for cascade loading
```
get_browser_console_logs
```
often reveals PII that developers left in debug logging
Test with consent rejected AND accepted — both paths matter
Close session with
```
close_session
```
and use
```
generate_html_report
```
for evidence

使用全新浏览器会话（无存储Cookie）以准确测试授权行为
需搜索的PII模式：邮箱（
```
@
```
）、电话（
```
\d{3}[-.]?\d{3}[-.]?\d{4}
```
）、社保号码、信用卡号、测试账户姓名
第三方脚本通常会加载更多脚本——需检查级联加载情况
```
get_browser_console_logs
```
常能发现开发者遗留的调试日志中的PII
需测试授权拒绝和接受两种路径——两者都很重要
使用
```
close_session
```
关闭会话，并用
```
generate_html_report
```
生成证据