Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter out mailerlite fields from the query string #17507

Closed
fmarier opened this issue Aug 16, 2021 · 2 comments · Fixed by brave/brave-core#9761
Closed

Filter out mailerlite fields from the query string #17507

fmarier opened this issue Aug 16, 2021 · 2 comments · Fixed by brave/brave-core#9761
Assignees
@fmarier
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy/query-filter privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass-macOS QA/Yes release-notes/include
Projects
Security & Privacy
Milestone
1.30.x - Release

Comments

@fmarier
Copy link
Member

fmarier commented Aug 16, 2021

MailerLite is a newsletter service which adds the following fields to outgoing links:

  • ml_subscriber
  • ml_subscriber_hash

There are lots of examples in the wild:

They recommend adding their tracking script to all pages of a website. That script looks at these values and sends them to a backend using a tracking pixel, for example like this:

function g() {
    var c = n("ml_subscriber"),
        e = n("ml_subscriber_hash"),
        f = a.location.hostname;
    return a.mlsettings && a.mlsettings.shop && (f = a.mlsettings.shop), c && e && (new Image().src = B + "/api/v2/woocommerce/visitor/" + c + "/" + e + "/" + f), d(b);
}

From what I can see in a newsletter I'm subscribed to, the unsubscribe link is completely different and instead uses a base64 blob that's part of the path in order to recover the email address. Therefore, it should be safe to strip these parameters out.
@fmarier fmarier added privacy priority/P3 The next thing for us to work on. It'll ride the trains. QA/Yes release-notes/include OS/Android Fixes related to Android browser functionality OS/Desktop privacy/query-filter labels Aug 16, 2021
@fmarier fmarier self-assigned this Aug 16, 2021
@fmarier fmarier added this to Untriaged Backlog in Security & Privacy via automation Aug 16, 2021
@fmarier fmarier changed the title Filter out mailierlite fields from the query string Filter out mailerlite fields from the query string Aug 16, 2021
fmarier added a commit to brave/brave-core that referenced this issue Aug 16, 2021
@fmarier
Remove MailerLite trackers from the query string (fixes brave/brave-b…
4fd4140 
…rowser#17507)
@fmarier fmarier mentioned this issue Aug 16, 2021
Merged
24 tasks
@fmarier fmarier moved this from Untriaged Backlog to Pending review in Security & Privacy Aug 16, 2021
Security & Privacy automation moved this from Pending review to Completed Aug 17, 2021
@fmarier fmarier added this to the 1.30.x - Nightly milestone Aug 17, 2021
@stephendonner
Copy link

Verified PASSED using the testplan in brave/brave-core#9761 and build

Brave 1.30.28 Chromium: 92.0.4515.159 (Official Build) nightly (x86_64)
Revision 0185b8a19c88c5dfd3e6c0da6686d799e9bc3b52-refs/branch-heads/4515@{#2052}
OS macOS Version 12.0 (Build 21A5304g)

Steps:

  1. new profile
  2. launched Brave
  3. opened Developer Tools from the "hamburger" menu, More Tools and chose the Network panel
  4. loaded https://brave.com/?ml_subscriber=17517&ml_subscriber_hash=o3e1 and watched the network requests
  5. confirmed that the ml_subscriber and ml_subscriber_hash parameters have been removed from the URL bar and an HTTP 307/internal redirect

Screen Shot 2021-08-17 at 8 22 02 PM

@srirambv
Copy link
Contributor

Verification passed on the following devices running 1.30.79 x64 build

  • Verified ml_subscriber and ml_subscriber_hash are removed from URL when request is initiated
Oppo Reno 5 (Android 11) Samsung Tab A (Android 10)
image image

@LaurenWags LaurenWags mentioned this issue Sep 22, 2021
Closed
@kjozwiak kjozwiak mentioned this issue Oct 1, 2021
Closed
Yuki2718 added a commit to AdguardTeam/AdguardFilters that referenced this issue Oct 25, 2021
@Yuki2718
address brave/brave-browser#17507
a3c02e1
@Darkmaster006 Darkmaster006 mentioned this issue Jan 3, 2022
Closed
@ryanbr ryanbr mentioned this issue Sep 4, 2022
Merged
@fmarier fmarier mentioned this issue Dec 3, 2022
Merged
lyubomyr-shaydariv added a commit to lyubomyr-shaydariv/uu-webext that referenced this issue Jun 15, 2024
@lyubomyr-shaydariv
https://github.com/brave/brave-browser/issues/17507
9df7e8f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmarier fmarier

Labels
OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy/query-filter privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass-macOS QA/Yes release-notes/include
Projects
Security & Privacy
  
Completed
Milestone
1.30.x - Release
Development

Successfully merging a pull request may close this issue.

Mailerlite query filter 17507 brave/brave-core
3 participants
@fmarier @stephendonner @srirambv