Remove Yandex trackers from the query string

[fmarier]

Yandex uses these query parameters in their analytics and ads products:

• yadclid
• yadordid
• yclid
• ymclid
• ysclid

yclid and ymclid

Both yclid and ymclid are unique click identifiers according to this post (translation) and their documentation:
https://yandex.com/support/metrica/data/offline-params.html#offline-params__yclid
https://yandex.com/support/metrica/general/source-tags.html#sources-tags

It turns out we already strip yclid because it's used by Yahoo! Japan, but we should strip ymclid too.

ysclid

According to this announcement (translation) and the official documentation, it's for tracking search terms when going from Yandex Search to a third-party website and so in theory it's not a user tracker per se.

I used Firefox to search for "brave browser" on yandex.com and found this site with a ysclid:

• https://braveser.com/?ysclid=lmv7h6xnh4953068390

Then I repeated the same search in Private Browsing and got a different link
each time I moused over the link:

• https://braveser.com/?ysclid=lmv7jr4jhw515257938
• https://braveser.com/?ysclid=lmv7k17w6q715037679

Even the original window has a different ID now:

• https://braveser.com/?ysclid=lmv7kag9a7769772885

So it does not appear to be a stable identifier 😕

That said, we wouldn't otherwise leak out the search terms directly since we cap cross-origin referrers to the origin and so we should remove this too.

yadclid and yadordid

While looking for examples of yadclid (which I found here), I also found a yadordid parameter:

• https://breezart.shop/solutions/breezart-1000-lux-ptc.php?yadclid=8040550&yadordid=17903971&yclid=13752475673004081151&action=SUBSCRIBE_PRODUCT&id=2423
• https://russian-seasons.ru/?utm_source=yandex&utm_medium=cpc&utm_campaign=jk_russkiye_sezoni&yadclid=97085288&yadordid=171563812&yclid=15851755138457796607
  https://bolshayastrana.com/bajkal/znakomstvo-s-bajkalom-kruiz-23041?yadclid=55445739&yadordid=168122925
  https://raylab.ru/catalog/svetofiltry/?utm_source=yandex&utm_medium=cpc&utm_campaign=yandex_cpc_raylab_search_all-goods_all-russia_age-all_device-all_none%7C73067181&utm_term=%D1%84%D0%B8%D0%BB%D1%8C%D1%82%D1%80+%D0%BF%D0%BE%D0%BB%D1%8F%D1%80%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D0%BE%D0%BD%D0%BD%D1%8B%D0%B9+raylab+cpl&yd_position=1&yd_source=none&yadclid=97189350&yadordid=173067181&ZGlyZWN0LnlhbmRleC5ydTs3MzA2NzE4MTsxMTk4Nzc1MjIwMDt5YW5kZXgucnU6cHJlbWl1bQ=&yclid=11775243539642843135&force=true&page=2

I've not been able to find any documentation about these online. Maybe they are unique identifiers? Maybe they are identifiers for a given creative, campaign or advertiser?

[fmarier]

All of these are removed by the "copy clean link" feature: brave/adblock-lists#1320

[stephendonner]

Verified PASSED using

Brave | 1.62.29 Chromium: 119.0.6045.105 (Official Build) nightly (x86_64)
-- | --
Revision | 722db0323f23c1aaee8a62326083bced61909279
OS | macOS Version 14.2 (Build 23C5030f)

Steps:

1. installed 1.62.29
2. launched Brave
3. loaded https://brave.com/?foo=bar&irclickid=1234&ymclid=abcd&ysclid=efgh&fb_action_ids=5678&fb_comment_id=123456&clean=yes with the Developer Tools' console open

Confirmed entering and trying to load https://brave.com/?foo=bar&irclickid=1234&ymclid=abcd&ysclid=efgh&fb_action_ids=5678&fb_comment_id=123456&clean=yes resulted in only https://brave.com/?foo=bar&clean=yes being loaded

[fmarier]

@stephendonner This will need a re-check once brave/brave-core#21254 lands.

[kjozwiak]

Re-adding the QA Pass label as the above was already verified via 1.62.x, We'll need to create a new issue that's associated with brave/brave-core#21254 which will be in 1.63.x so it can be re-verified on 1.63.x. Technically nothing was reverted/changed via 1.62.x so the above verification is still valid.

[GeetaSarvadnya]

Verification PASSED on Vivo X70 Pro version 12 running Bravemonoarm64.apk_1.62.121

• Verified the test plan from Revert "Revert "Remove Yandex' trackers from URLs brave-core#21254
• When the URL https://brave.com/?ymclid=1234&ysclid=abcde is entered the two parameters ysclid and ymclid were removed
• Confirmed that url bar just show the https://brave.com/