brave-browser: First-party domain blocking
Other third-party blocking tools allow filter list authors to block the top-level, first-party request. This is useful when a page is overall harmful, but doesn’t fit SafeBrowsing’s threat model. It’s also useful as a defense-in-depth against phishing, bounce tracking, etc.
Brave currently does not have this capability. We don’t currently have a flexible way of saying “this page shouldn’t be loaded / given first-party storage”. The current way of doing this is SafeBrowsing (which we don’t control / fork) or rules that still load the page, but block all sub resources (i.e. https://*$domain=evil.org). Neither of these provide the security and privacy benefits of blocking the initial page load (e.g. inline scripts, bounce tracking, etc).
An implementation should
- Display the domain being blocked
- Allow user to proceed (to the requested page) or go back (to the previous page)
- Cause zero network requests before the user decides to proceed
- Allow user to create a permanent exception for the domain
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 18 (10 by maintainers)
@pes10k NO! 😠 . Just kidding 😆 Yeah, this has to be the approach for all the design system-related debt that needs to be tackled one piece at a time. Implemented design seems fine for now.
@LaurenWags I think it was just missed - thanks for checking - I added the label just now!
@marekciupak yes, this is currently only supported on Desktop and Android, though support on iOS is planned for this year
cool, thanks @karenkliu - when I looked at https://github.com/brave/brave-browser/issues/7464 it didn’t have the
OS/Desktoplabel and I didn’t want to assume everything would be the same.Hi @pilgrim-brave - would you be able to help QA by devising a mini test-plan to put in https://github.com/brave/brave-core/pull/7952, for us to key off?
I see the cases in https://github.com/brave/brave-core/blob/34f21675d82ed24168d057b69735ffb5f47cab07/browser/brave_shields/domain_block_page_browsertest.cc; if those would work for us, to test manually, can you help take a few examples of them and distill them into step-by-step tests?
And can you confirm they are in Adblock Plus filter format via
brave://adblock(https://adblockplus.org/filter-cheatsheet)?Thanks! 🙏
(ccing: @brave/legacy_qa and setting
QA/Blocked, just until we’re able to sync up on a good test-plan for this 🤜 🤛 )