Brave

Current status

Detail Description
Mechanism Shields
Originally deployed in 0.55.18
Latest update deployed in v1.1.20
Latest update includes Removed known user tracking parameters from query strings
User controls Site-specific and global controls for:
  • Cross-site tracker blocking
  • Automatic connection upgrade to HTTPS
  • Script blocking
  • Cookie blocking
  • Device recognition blocking

Brave Shields default settings

Classification of “known trackers”

Brave classifies tracking domains using input from multiple lists:

Brave matches each outgoing request from the web browser against these lists (using various methods for achieving optimized performance), and if a match is made, the request is blocked.

Example: The user visits a site that tries to load the Google Analytics JavaScript library from https://www.google-analytics.com/analytics.js. This URL (and the entire domain, in fact), is listed in the EasyPrivacy list. Thus Brave blocks the request, preventing the browser from downloading the library and executing the Google Analytics tracking code in the web browser.

By blocking requests upstream, it means that if the request initiated a resource download (such as a JavaScript library), this resource is never downloaded and thus the code is not executed in the user's browser. If the request initiated a pixel call (such as a GET for an image), it means the pixel call will be aborted before it is received by the endpoint.

Third-party cookies

All third-party cookies are blocked by default.

Brave uses "cross-site" interchangeably with "third-party" in this case

First-party cookies

For cookies set with JavaScript's document.cookie, expiration is set to a maximum of 7 days.

Example: The user visits a page that is running an A/B testing tool which stores the experiment details into a cookie named __exp. This cookie is set with JavaScript. Even though setting the cookie works, and the user is assigned to an experiment group successfully, if the user takes more than 7 days to revisit the site, the cookie will have been expired and the user would potentially get assigned to a new, different group upon their next visit.

For cookies set with the Set-Cookie HTTP response header, expiration is set to a maximum of 6 months.

Other third-party storage

No restrictions.

Note that since Brave blocks resources found in their classification lists, it has the downstream effect of blocking storage access from these vendors who now can't execute their JavaScript in the user's browser, or respond to the blocked HTTP requests.

Other first-party storage

No restrictions.

Note that since Brave blocks resources found in their classification lists, it has the downstream effect of blocking storage access from these vendors who now can't execute their JavaScript in the user's browser, or respond to the blocked HTTP requests.

Referrer

Cross-site referrers are spoofed in non-navigational HTTP requests.

Example: If the page on https://domain.com/page requests a resource from https://anotherdomain.com/image.jpg, the referer header in the HTTP requests will be set to the referred-to origin (https://anotherdomain.com/) rather than the referred-from origin (https://domain.com/) as is the typical behavior.

For top-level navigation, cross-site referrers are stripped entirely.

Example: When clicking a link from https://domain.com/page to https://anotherdomain.com/another-page/, the referer header is removed from the request. Similarly, the document.referrer will return an empty string once the user lands on anotherdomain.com.

For same-site requests (both navigational and non-navigational), referrer has normal behavior.

Other

Brave removes known tracker identifier parameters (fbclid, gclid, msclkid, mc_eid) from URL strings. On top-level navigation (e.g. landing on a page with such parameters in the URL), the parameters are stripped out in a 307 internal redirect. On non-navigational HTTP requests, the parameter is stripped from the request URL.

Example: If the user types https://www.domain.com/?fbclid=1.2.3.4 in the omnibox and presses enter, Brave strips the parameter in an internal redirect. Similarly, if the browser makes a request to https://www.domain.com/tracking-pixel.gif?mc_eid=23456, Brave strips the parameter out of the request before it hits the target server.