The Brave Browser promotes itself on being built from the ground up to provide enhanced privacy to its users. Yet, users voiced concern today after finding a section of the browser's source code that shows tracking scripts for Facebook and Twitter are whitelisted so that they are not blocked by the browser.
According to the Brave Browser's feature list, unwanted trackers and ads will be blocked by the browser.
This is shown by the source code for the tracking_protection_service.h file that contains a comment informing that a tracking protection white_list variable was created as a "Temporary hack which matches both browser-laptop and Android code".
This whitelist variable is associated with code in the tracking_protection_service.cc file that adds various Facebook and Twitter hostnames to the whitelist variable so that they are not blocked by Brave's Tracking Protection feature.
The list of whitelisted hostnames are:
connect.facebook.net
connect.facebook.com
staticxx.facebook.com
www.facebook.com
scontent.xx.fbcdn.net
pbs.twimg.com
scontent-sjc2-1.xx.fbcdn.net
platform.twitter.com
syndication.twitter.com
cdn.syndication.twimg.com hostnames According to a Brave Browser issue that was opened on September 8th, 2018, the developers decided to whitelist tracking scripts from Facebook and Twitter because blocking them would affect the functionality of many sites. One of the Facebook features that would be broken includes Facebook logins.
The code to whitelist Facebook's hostnames was added over 3 years ago according to this commit and currently only has a priority rating of P5 on Brave's list of open issues.
According to some users at Y Combinator, it is a strange tactic for a privacy-oriented browser to whitelist Facebook.com, which could be the most well known abuser of user's privacy and data, and not resolve it quicker.
BleepingComputer has reached out to Brave for comment, but had not heard back at the time of this publication. This article will be updated when a response is received.
Update 2/12/19: Brave has published a blog post in response stating that tracking is still blocked even though these hostnames are whitelisted.
Firefox does it differently
Firefox also states that its tracking protection feature called Content Blocking can cause sites to break. For this reason, they provide different levels of tracking protection to allow users to decide how strict the browser should be when blockin tracking scripts.
In Firefox, the default setting is Standard that allows trackers whose blocking would break their associated sites. For users who want stricter tracking protection and do not care if sites will break, they can select the Strict or Custom settings that offer more tracking protection.
Comments
w0ts0n - 1 year ago
Brave blocked them, people complained as it broke an sdk which fb uses for oauth (login to some sites). Same issue on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=1226498
connect.facebook.com is for the Facebook JS SDK.
We actually do block Facebook requests explicitly used for tracking:
https://github.com/brave/adblock-lists/blob/f25b698aff4666bbd6a6038ec029855e971b57cc/brave-unbreak.txt#L41
https://github.com/brave/adblock-lists/blob/f25b698aff4666bbd6a6038ec029855e971b57cc/brave-unbreak.txt#L42
https://github.com/brave/adblock-lists/blob/f25b698aff4666bbd6a6038ec029855e971b57cc/brave-unbreak.txt#L43
buddy215 - 1 year ago
Can't beat Firefox with NoScript add-on for blocking trackers, malicious scripts and ad scripts. Add an ad blocker such as Adblock Plus and you have a browser that is safer and ad free....not like the niche browser Brave which depends on its own ad placements to the detriment of websites relying on ads.