Filter out Marketo's email tracker from URLs

[fmarier]

The Marketo mkt_tok query string parameter is for tracking users and can be disabled by campaign admins though apparently it's also used in unsubscribe links.

Here is a longer description of how this parameter is used and what the security implications are: https://medium.com/@thezedwards/facebook-s-ongoing-vip-user-data-exfiltration-vulnerability-via-adobes-marketo-software-why-d8435a259b0

Need to find a real example and test the unsubscribe link before we can strip out in our query string filter.

[frankfuu]

Not sure if this is related but I'm also having issues editing a draft of an email when using Brave. It doesn't happen with Google Chrome.

[fmarier]

It's definitely not related to this issue since it hasn't been implemented yet :)

My guess is that it might be related to the referrer protections in Brave. Could you please file a new issue with more details on what tools you are using so that we can investigate?

[frankfuu]

Sweet, yep so it turns out it was related to those protections. Should I file a bug anyway or not worth?

[fmarier]

Sweet, yep so it turns out it was related to those protections. Should I file a bug anyway or not worth?

Yes, please. We do try to address as many of the webcompat issues as we can.

[frankfuu]

Done - #9665

[fmarier]

@frankfuu Do you happen to have a Marketo mailing list (test or real) I could join while testing the Brave filter?

I would like to make sure that when we block the user-tracking marketo query string parameter, we don't break unsubscribe links.

[frankfuu]

@fmarier I'm not sure what you mean by mailing list? But if it's access to our Marketo instance then I don't think my employer would agree.

I'm happy to try and help test it though?

[fmarier]

By "mailing list" I meant some mailout list of some sort. Basically sending me an test email (to francois@brave.com) from within Marketo.

Ideally the body of the test email should include a link to say https://brave.com. What I would then like to do is click the unsubscribe link in that email to make sure that it works (i.e. you can see I unsubscribed).

[frankfuu]

No probs. I've sent you our newsletter email. At the bottom of the email there is an unsubscribe link which takes you to an email preferences center where you can untick the emails you do not want and when you press "save". Those changes will persist against your email. You can test that it has persisted by closing and re-opening the email and clicking on unsubscribe again.

[frankfuu]

Update: I just noticed you asked for a link in the email so I've resent you another email. It should be an email from f.fu@investsmart.com.au

[fmarier]

Thanks for the emails @frankfuu !

I can confirm that the https://brave.com link end up as: https://brave.com/?mkt_tok=eyJpIjoiTURVd09HTmlNalEyTURneCIsInQiOiJcL2Z4TkxVOHRXUmNvcnFNaG1zS28zS2x6UWRDVEZqZE1Ma2dBcm1lNHBqdFJkbU1BRkI2V0gwNTNoMDRva2pmTEk1UTBOM2NqSXRhbVNIbXFJbUlhM0ZuY1dtbFZndFBEWUQrSEkxaHNYRXNGUGR2ZnBrOTgraWw1d29UaXNYaEYifQ%3D%3D via a meta redirect:

$ curl -i https://go.investsmart.com.au/c0y01w3M09wW0fKGQ0pIz00
HTTP/2 200 
date: Thu, 21 May 2020 01:35:42 GMT
content-type: text/html
set-cookie: __cfduid=d1b43fd21fd0a808af2ac56f7681853851590024942; expires=Sat, 20-Jun-20 01:35:42 GMT; path=/; domain=.go.investsmart.com.au; HttpOnly; SameSite=Lax
cache-control: private, no-cache, no-store, max-age=0
x-content-type-options: nosniff
vary: Accept-Encoding
set-cookie: BIGipServersn_email_track_80=!03JRPFhwGTymMLQ+hMntxoNXdwmmDJ8o1AoAHceQePA6p5rhnodYjQwc46Kapocrr+yCqX8Vk1GzzC/Ewto3YQeSf+476EmBzUKrwDQ=; path=/; Httponly; Secure
cf-cache-status: DYNAMIC
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 596a8fef8c023adc-YVR
cf-request-id: 02d67849b600003adcb1a47200000001

<html>
<head>
<meta charset='UTF-8'>
<meta name='robots' content='noindex'>
<script language='javascript'>
  var redirecturl = 'https://brave.com/?mkt_tok=eyJpIjoiTURVd09HTmlNalEyTURneCIsInQiOiJcL2Z4TkxVOHRXUmNvcnFNaG1zS28zS2x6UWRDVEZqZE1Ma2dBcm1lNHBqdFJkbU1BRkI2V0gwNTNoMDRva2pmTEk1UTBOM2NqSXRhbVNIbXFJbUlhM0ZuY1dtbFZndFBEWUQrSEkxaHNYRXNGUGR2ZnBrOTgraWw1d29UaXNYaEYifQ%3D%3D';
  function redirect() {
    var anchor = window.location.hash;
    window.self.location = redirecturl + anchor;
  }
</script>
</head>
<body onload=redirect()></body>
</html>

The mkt_tok tracking parameter decodes to the following JSON:

{
    "i": "MDUwOGNiMjQ2MDgx",
    "t": "/fxNLU8tWRcorqMhmsKo3KlzQdCTFjdMLkgArme4pjtRdmMAFB6WH053h04okjfLI5Q0N3cjItamSHmqImIa3FncWmlVgtPDYD+HI1hsXEsFPdvfpk98+il5woTisXhF"
}

The unsubscribe link (https://pages.investsmart.com.au/UnsubscribePage.html?mkt_unsubscribe=1&mkt_tok=eyJpIjoiTURVd09HTmlNalEyTURneCIsInQiOiIvZnhOTFU4dFdSY29ycU1obXNLbzNLbHpRZENURmpkTUxrZ0FybWU0cGp0UmRtTUFGQjZXSDA1M2gwNG9ramZMSTVRME4zY2pJdGFtU0htcUltSWEzRm5jV21sVmd0UERZRCtISTFoc1hFc0ZQZHZmcGs5OCtpbDV3b1Rpc1hoRiJ9) also includes a different mkt_tok tracking parameter, though it decodes same JSON structure.

It looks like it uses that parameter to prefill my email address in the page head:

<!DOCTYPE html>
<html lang="en"><head>
<script type="text/javascript">
 var mktoPreFillFields = {"Email":decodeURIComponent("francois%40brave.com"),"ER_Opt_in_A__c":true,"II_Opt_in_A__c":true,"IS_Opt_in_A__c":true};
</script>

before removing it from the query string using this script.

[fmarier]

I tried to unsubscribe in two different ways:

1. From the "Hello world" email by visiting the page with the query string untouched and then reloading the page without the query string.
2. From the "Intelligent Investor" newsletter email by opening the link in curl and then opening https://pages.investsmart.com.au/my-email-preferences?mkt_unsubscribe=1 (i.e. stripping out the mkt_tok parameter) directly in Brave.

@frankfuu Are you able to check whether I successfully unsubscribed from either or these lists or both?

[frankfuu]

Ah @fmarier we have a custom unsubscribe process so you actually have to uncheck each of the options individually. Not the best user experience I know but it was a business requirement. I can see your click and web visit activity from Marketo though. Not sure if that is enough to answer your question.

[fmarier]

@frankfuu Thanks, I think I have enough details to start thinking about what needs to be done here. It's not going to be as easy as with the other filters.

Thanks for your help in investigating this!

[frankfuu]

No problems @fmarier , let me know if you need more testing to be done ;)

[alfredonodo]

Any update on this?

[fmarier]

We've not yet found a way to remove this tracker without breaking unsubscribe pages.

The root of the problem is that Marketo's design uses the same identifier for tracking users as well as for authenticating them. Unless we can find a way to reliably detect and exempt unsubscribe pages, removing this tracker will not be as innocuous as the other ones we have removed so far.

[arthuredelstein]

Release note suggested by @pes10k : "improvements to Brave’s query-parameter stripping feature, to better protect users from cross-site tracking.”"

[LaurenWags]

excellent, thanks @arthuredelstein (and @pes10k 😄 )

[stephendonner]

Verified PASSED using

Brave	1.42.61 Chromium: 103.0.5060.114 (Official Build) beta (x86_64)
Revision	a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS	macOS Version 13.0 (Build 22A5295i)

Shared steps:

1. install 1.42.61
2. launch Brave
3. load each of the following URLs
4. confirm the respective parameters are handled appropriately, per each testcase

Remove mkt_tok parameter, general cases - PASSED

• https://example.com/?mkt_tok=abc
• https://example.com/?mkt_tok=abc&another=test
• https://example.com/?param1=foo&mkt_tok=abc&another=test

?mkt_tok=abc	?mkt_tok=abc&another=test	?param1=foo&mkt_tok=abc&another=test

Retain mkt_tok parameter - PASSED

In all cases, confirmed we retain the mkt_tok parameter in the URL bar, upon final load:

• https://example.com/unsubscribe.html?mkt_tok=abc
• https://example.com/?mkt_tok=abc&mkt_unsubscribe=1
• https://example.com/?param1=foo&mkt_tok=abc&unsubscribe=yes

?mkt_tok=abc	?mkt_tok=abc&mkt_unsubscribe=1	?param1=foo&mkt_tok=abc&unsubscribe=yes

Regression-test existing forbidden parameters - PASSED

In all cases, confirmed the ?... parameter was stripped upon final load:

• https://example.com/?fbclid=1
• https://example.com/?gclid=1
• https://example.com/?msclkid=1

?fbclid=1	?gclid=1	?msclkid=1

---

Query-filter tests - PASSED

NOTE: You need to open this page in a private window and close all private windows in between each section. Don't copy/paste the links; you need to click on them for the test cases to work.

https://fmarier.github.io/brave-testing/query-filter.html

Direct navigations - PASSED

1. Open a new tab and paste https://brave.com/?fbclid=1 into the URL bar and press return
2. Confirm the ?fbclid=1 parameter is removed from the URL bar

Cross-site tests - PASSED

In all of these cases, confirmed the fbclid parameter is missing from the landing page:

• Cross-origin navigation
• Cross-origin navigation to cross-origin 301 redirect
• Cross-origin navigation to cross-origin 302 redirect
• Cross-origin navigation to cross-origin 303 redirect
• Cross-origin navigation to cross-origin 307 redirect
• Cross-origin navigation to cross-origin 308 redirect

query-filter/?fbclid=1234	query-filter/xredirect1	query-filter/xredirect2	query-filter/xredirect3	query-filter/xredirect4	query-filter/xredirect5

Redirected same-site tests - PASSED

In all of these cases, the fbclid parameter should be present on the landing page, but the gclid parameter should be missing in the intermediate step (client-side redirection).

• Cross-origin navigation to same-origin 301 redirect
• Cross-origin navigation to same-origin 302 redirect
• Cross-origin navigation to same-origin 303 redirect
• Cross-origin navigation to same-origin 307 redirect
• Cross-origin navigation to same-origin 308 redirect
• Cross-origin navigation, then same-origin navigation to same-origin 301 redirect
• Cross-origin navigation, then same-origin navigation to same-origin 302 redirect
• Cross-origin navigation, then same-origin navigation to same-origin 303 redirect
• Cross-origin navigation, then same-origin navigation to same-origin 307 redirect
• Cross-origin navigation, then same-origin navigation to same-origin 308 redirect

redirect1?gclid=def	redirect2?gclid=def	redirect3?gclid=def	redirect4?gclid=def	redirect5?gclid=def	redirect1.html?gclid=abc	redirect2.html?gclid=abc	redirect3.html?gclid=abc	redirect4.html?gclid=abc	redirect5.html?gclid=abc

Same-site tests - PASSED

In both of these cases, confirmed the fbclid parameter was present on the landing page:

• Same-origin navigation
• Same-site navigation

?fbclid=1234	query-filter.html

[arthuredelstein]

Thank you @stephendonner!

[Uni-verse]

Verification PASSED on Samsung Galaxy S21 using

Brave	1.42.78 Chromium: 103.0.5060.134 (Official Build) beta (64-bit) 
Revision	8ec6fce403b3feb0869b0732eda8bd95011d333c-refs/branch-heads/5060@{#1262}
OS	Android 12; Build/SP1A.210812.016

Test Plan - brave/brave-core#13726 (comment)

Removing mkt_tok

?mkt_tok=abc	?mkt_tok=abc&another=test	?param1=foo&mkt_tok=abc&another=test

Keeping the mkt_tok

unsubscribe.html?mkt_tok=abc	?mkt_tok=abc&mkt_unsubscribe=1	?param1=foo&mkt_tok=abc&unsubscribe=yes

Existing forbidden parameters (filtering out params)

• https://example.com/?fbclid=1
• https://example.com/?gclid=1
• https://example.com/?msclkid=1

Actual Result:

• https://fmarier.github.io/brave-testing/query-filter.html

[Uni-verse]

Verification PASSED on Samsung Galaxy Tab S7 using

Brave	1.42.80 Chromium: 104.0.5112.57 (Official Build) (64-bit) 
Revision	212fd173a0da1e0a024f328295bb56a2529190bb-refs/branch-heads/5112@{#1042}
OS	Android 12; Build/SP1A.210812.016

Test Plan - brave/brave-core#13726 (comment)

Removing mkt_tok

?mkt_tok=abc	?mkt_tok=abc&another=test	?param1=foo&mkt_tok=abc&another=test

Keeping the mkt_tok

unsubscribe.html?mkt_tok=abc	?mkt_tok=abc&mkt_unsubscribe=1	?param1=foo&mkt_tok=abc&unsubscribe=yes

Existing forbidden parameters (filtering out params)

• https://example.com/?fbclid=1
• https://example.com/?gclid=1
• https://example.com/?msclkid=1

Actual Result:

• https://fmarier.github.io/brave-testing/query-filter.html