-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Blocking goals and policy
Brave modifies how websites execute, and what network requests websites can make. Brave does this to protect user privacy, improve website performance, and generally improve the experience for users. This document describes both the policy Brave uses to decide what to block and modify, and the techniques Brave uses to approximate the policy in the browser. We can only at best "approximate" the policy because of the wide variety in how websites work, and the efforts trackers go to circumvent user protections.
Brave's default settings attempt to protect user privacy by blocking third-party advertising. Brave's goal in doing so is not to block the advertisement images themselves, but to block the tracking such advertisements cause. In practice, it is difficult-to-impossible to distinguish third-party advertising with third-party tracking, so Brave blocks both.
In Standard blocking mode (the default), Brave does not apply network-level filter list blocking to first-party requests. In Aggressive blocking mode, both third-party and first-party requests are blocked. Read more in the blog post.
Note: Brave will always attempt to block anti-adblock behavior.
While Brave does not intentionally target first-party advertising for blocking, Brave doesn't consider it an error either. In other words, Brave does not try to block first party ads, but won't take efforts to unblock first-party ads if they're being blocked by other steps.
Similarly, Brave also blocks code that attempts to identify (fingerprint) users based on unique browser characteristics, hardware configuration and similar semi-unique data points. Such identification techniques are just as harmful to users as traditional cookie-based tracking.
Finally, Brave intentionally blocks website behaviors that are harmful to users, whether or not those behaviors are privacy-harming. For example, Brave blocks crypto-mining scripts. These scripts use the user's computer in an intensive manner to try and earn money for the hosting website, and result in degraded performance and reduced battery life. Crypto mining scripts are only one such example, but when possible, Brave will modify websites and requests to improve the user experience.
Brave allows first-party analytics scripts as long as the script does not engage in clear cases of user-harmful behaviour as defined above.
Brave also aims to empower users who wish to block first-party advertising and tracking scripts, even though doing so often comes at an increased risk of website breakage. Many Shields settings have two levels of strength to accommodate these use cases for advanced users, and Brave's adblocker is extensible with custom filter list entries and subscriptions.
Brave makes a best effort attempt to enforce the above policy, through a number of steps. The majority of the below described techniques are controlled by the "Shields" panel in Brave, and can be disabled if and when the user desires too. Because of platform restrictions, Brave is not able to use all of these techniques on iOS, though we are constantly looking for ways of increasing protections on that platform.
First, Brave blocks the most common tracking mechanism, sending cookies to third party resources. By default, Brave never sends cookies to third parties, nor respects storage setting and reading operations by scripts operating in the third party contexts.
Second, Brave modifies the referrer header when making cross origin requests. Brave "lies" on these requests, and says the request was being issued from the same domain being requested, instead of the true, cross-domain origin.
Third, Brave prevents third party frames from tracking users through passive finger printing techniques. Brave modifies or returns false values for a number of Web API endpoints that can be used to identify users (e.g. Canvas API, WebGL, Web Audio API, etc.). Brave by default only does this in third party contexts, but can be modified to perform the same protections globally, or not-at-all.
Fourth, Brave pulls from a variety of community developed filter lists, or lists of URLs used for carrying out advertising or tracking. These lists include EasyList and EasyPrivacy, lists generated by the uBlock Origin project, and lists maintained by Brave itself. URLs identified by these lists are either blocked, or have their resources modified, to protect users. Brave also uses lists to block coin miners and scripts that engage in "notifications spam." The current, full set of filter lists Brave uses can be found in our source.
In this mode, Brave will block any identified first-party content specified by default filter lists. CNAME uncloaking is also enabled to block additional resources that may normally go undetected.
An up-to-date catalog of Brave's default and optional adblock lists can be found in the list catalog, in the adblock-resources repository. In the browser, this can be found on the brave://settings/shields/filters
settings page.
- Regional adblock lists
Brave has toggleable country-specific adblock filter options. These filter lists are imported from various list authors and will offer added protection not covered by Easylist (which is an English-specific list).
Mobile: Can be configured in the settings/privacy
Desktop: Filters can be changed using brave://settings/shields/filters
- EasyList
Primary filter list that removes most advertisements from webpages.
Type of Rules: #network
#cosmetic
Address: https://easylist.to/easylist/easylist.txt
Support: https://forums.lanik.us/
- EasyPrivacy
Removes tracking scripts, information collectors and other tracking elements. Protecting your privacy.
Type of Rules: #network
Address: https://easylist.to/easylist/easyprivacy.txt
Support: https://forums.lanik.us/
- Brave-unbreak (Brave specific list)
Brave-generated filter rules to address web compatibility issues unique to Brave, and to target anti-adblock resources.
Type of Rules: #network
Address: https://github.com/brave/adblock-lists/blob/master/brave-unbreak.txt
Support: https://github.com/brave/adblock-lists/issues
- uBlock Lists
uBlock Origin community filters to counter broken sites and to address privacy scripts.
Type of Rules: #network
#cosmetic
Address: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/filters.txt
Address: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/filters-2020.txt
Address: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/badware.txt
Address: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/privacy.txt
Address: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/resource-abuse.txt
Address: https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/unbreak.txt
Support: https://github.com/uBlockOrigin/uAssets/issues
- URLhaus Malicious URL Blocklist
Blocks websites that exist solely to serve malware.
Type of Rules: #network
Address: https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
Support: https://gitlab.com/curben/urlhaus-filter
- Peter Lowe's ad and tracking server list
Blocks ad servers, tracking servers, malware servers, and anti-adblock servers.
Type of Rules: #network
Address: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext
Support: https://pgl.yoyo.org/adservers/
- Brave Social
Prevents third-party social media elements from loading to protect user privacy.
Type of Rules: #network
Address: https://raw.githubusercontent.com/brave/adblock-lists/master/brave-lists/brave-social.txt
Support: https://github.com/brave/adblock-lists
Please see https://github.com/brave/adblock-resources/blob/master/filter_lists/list_catalog.json for a full catalog.
Per Apple's App Store Review Guidelines (section 2.5.6
):
Apps that browse the web must use the appropriate WebKit framework and WebKit Javascript.
The iOS version of Brave is constrained by what is available to WKWebview. Brave utilizes the Content Blocker extension to implement a subset of the lists available to Android and Desktop, called Slim List. Each week, the code from Slim List Lambda will execute from a Brave host and generate a new list for use in iOS. This list is then uploaded to AWS S3 where the iOS browser will fetch it at run-time (at program launch and then every 6 hours afterwards). We're looking into deprecating this.