Filter out HubSpot's email trackers from URLs

[fmarier]

The following query string parameters are used by HubSpot:

• _hsenc
• _hsmi
• __hssc
• __hstc
• __hsfp
• hsCtaTracking

The ones that start with double underscores are tied to cookies though they are also added to URLs.

According to https://knowledge.hubspot.com/email/links-in-emails-or-ctas-lead-to-an-error-page,
_hsenc tracks the identity of the user who clicked on the email.

They have a number of other ad-related query string parameters which do not tie back to an individual. In particular hsa_acc, hsa_cam, hsa_grp, and hsa_ad map to account ID, campaign ID, ad set ID, and ad ID respectively.

Based on the examples I found on Google:

• https://www.kaspersky.com/?utm_campaign=DM1803US-KAS&utm_source=hs_automation&utm_medium=email&utm_content=61943687&_hsenc=p2ANqtz-9CCi0_DS3jtutvTinArk34tAszuq7xG7pEtsDqlUdZzgPcPmkJdLEd9B5e2O17uqs7U29rxsQiUWOrbiOpxbohyWLAkK4ah0blhC0U7mvgHtmCcWE&_hsmi=61943687
• https://www.netguru.com/hubfs/Downloadables/Mobile%20Analytics%20Comparison.pdf?utm_campaign=%5BS%5D%20mobiledev&utm_medium=email&_hsenc=p2ANqtz-89X7vHUlo85kO9K_OchfKFWHe5HTWbgG9Lw_3kPHEHZBl985uCAv-k7dXKuIX9DV17jUGqqpJhDDtkhAwTEvj-lAeeOQ&_hsmi=58517518&utm_content=58517518&utm_source=hs_automation&hsCtaTracking=2871793b-e6ce-42c7-8977-7b0a3d7d3915%7C2b401771-c713-4fd9-aa59-4d3eaef6f109

it looks like _hsmi is relatively low-entropy.

hsCtaTracking, __hssc, __hstc and __hsfp are high-entropy though and are
involved with Calls-To-Action tracking.

So we should add the following to our query string filter:

• _hsenc
• __hssc
• __hstc
• __hsfp
• hsCtaTracking

[fmarier]

On this page (linked to from a HubSpot blog post) I found a real unsubscribe link:

https://get.invisionapp.com/hs/manage-preferences/unsubscribe?d=Vn0sX899rzQZW3zcgHq4fdJd6W43WJH43P3Q7wW3ZsjYm3_fYjfVGRMvr72XjpmV1yf0N3091q-W1vtlC442x6CWW5CBmdK3jsC6j183&v=3&utm_campaign=Weekly%20Digest&utm_source=hs_email&utm_medium=email&utm_content=30425508&_hsenc=p2ANqtz-9aK6cmhAju0L5bvc7wYfHZz-OZcWCDYc3M0L5u8bwzeeDF1DIkt6ihb-EqA0XZ4ojH0k1Ta2ubZS53tG1TT9vb5jagdg

which seems to also pre-fill the email address if I remove the _hsenc parameter. The d parameter in this case is the one that's used for the pre-fill. I did try it out and confirmed that I could update the subscription preferences successfully.

[bsclifton]

Added missing milestone 😄

[GeetaSarvadnya]

Verification passed on

Brave | 1.11.68 Chromium: 83.0.4103.106 (Official Build) dev (64-bit)
-- | --
Revision | ce7134bb3d95141cd18f1e65772a4247f282d950-refs/branch-heads/4103@{#694}
OS | Windows 10 OS Version 1903 (Build 18362.30)

• Verified the test plan from Filter out HubSpot email trackers from query string brave-core#5554

Reproduced in 1.10.x

1.11.x

---

Verified passed with

Brave | 1.11.75 Chromium: 83.0.4103.116 (Official Build) dev (64-bit)
-- | --
Revision | 8f0c18b4dca9b6699eb629be0f51810c24fb6428-refs/branch-heads/4103@{#716}
OS | macOS Version 10.14.6 (Build 18G3020)

• Verified test plan from Filter out HubSpot email trackers from query string brave-core#5554
• Reproduced the test plan using 1.10.97:

• Confirmed tracker is filtered out in 1.11.x:

• Also confirmed __hssc, __hstc, __hsfp, and hsCtaTracking are filtered out per the issue description above.

---

Verified passed with

Brave	1.11.80 Chromium: 83.0.4103.116 (Official Build) dev (64-bit)
Revision	8f0c18b4dca9b6699eb629be0f51810c24fb6428-refs/branch-heads/4103@{#716}
OS	Linux

• Verified test plan from Filter out HubSpot email trackers from query string brave-core#5554
• Reproduced the test plan using 1.10.97 and confirmed tracker is filtered out in 1.11.x.
• Also confirmed __hssc, __hstc, __hsfp, and hsCtaTracking are filtered out per the issue description above (using same steps as from test plan)