The Brave team announced that the privacy-centric browser will soon introduce new restriction controls allowing users to specify how long sites can access local network resources.

Locally hosted resources may include images or files needed or used by web programs on your device. Other local resources may include access to devices on your network, such as NAS instances, locally hosted servers, shared network printer files, shared network device/computer data, etc.

It is common for websites and local web applications to request access to local resources from fingerprint users or collect information about software running on a user’s machine.

“As surprising as it may seem, most browsers allow websites to access these local resources as easily as they can access other resources on the web”, explains Brave.

This practice has been documented since at least 2020 on websites such as eBay, Citibank, Chick-fil-A and much more as part of an anti-fraud script used on the associated sites.

Ebay port scan users in the past
Ebay port scan users in the past
Source: StackExchange

Brave claims that all major modern browsers, including Chrome and Firefox, allow websites to request access to local resources and use them without restriction.

Safari blocks these requests even when they come from secure public websites as a side effect of its security measures rather than as a specific design decision to stop this dangerous practice.

Brave presents a localhost access permission to solve this problem while allowing sites they trust to access local resources for a limited time.

New localhost resource permission prompt
New localhost resource permission prompt
Source: Courageous

“Brave is the only browser that will block requests to localhost resources from secure and insecure public sites, while maintaining a compatibility path for sites users trust,” the Brave team promises.

“Starting with version 1.54 (the current version is v1.52), Brave for desktop and Android will include more powerful features to control which sites can access local network resources and for how long.”

By default, no site will be allowed to access localhost resources. Users can therefore manually grant it by going to “brave://settings/content/localhostAccess” on desktop or “Settings > Site Settings > Localhost Access” on Android.

In addition to this new authorization mechanism, Brave will use filter list rules to block scripts and sites that abuse localhost access.

At the same time, Brave will maintain and update a allowed list of trusted sites who will be allowed to prompt users to allow them access to local network resources on their first visit.

Requests to localhost resources from a localhost context will always be allowed to pass without requiring special permissions.


Source link