Brave Browser is getting protections against undesirable Localhost access

[harlan4096]

Brave Software plans to introduce new localhost access controls in Brave Browser 1.54. Localhost refers to resources that are usually found on the user's device and not on the Internet.

Some popular sites and services, Intel's Driver Assistance check comes to mind, require access to localhost resources to work. The feature, which is not limited by most browsers, may also be abused by malicious or shady sites, for instance as a data source for fingerprinting tracking.

Historically, browsers have always allowed access to localhost resources. Legitimate web applications, like Intel's driver assistant, use localhost resources for functionality. Brave Software lists banks, security software, crypto wallets and some hardware devices as other examples of services that make use of localhost connections.

The number of services that access localhost for legitimate purposes is relatively small.

Brave 1.54: localhost protections

Brave Software plans to introduce a change in Brave Browser 1.54 that uses the browser's permission system to give users control over access to localhost resources.

First visit to Intel's driver & support assistant website, for instance, will trigger the prompt and users may allow or decline access using it. Most sites that try to access localhost resources won't trigger the prompt, but users may allow access using the permissions system.

Brave Browser uses the following logic regarding localhost access when the change is introduced:

1. Localhost access from localhost contexts are always allowed by default.
   
2. Brave's existing protections against malicious scans of localhost resources and other abuses of localhost resources continue to block these connection attempts.
   
3. The new Localhost permission gives users control over access. Sites with the localhost permission set to allow may "make sub-resource requests to localhost resources". Sites do not have the permission by default and most sites won't display a prompt when they try to access localhost resources.
   
4. Brave maintains a list of trusted sites, accessible here, that will trigger a prompt when they are accessed for the first time.
   

The company explains that it made the deliberate decision to limit permission prompts, as it believes that the number if illegitimate prompts outweighs legitimate access significantly.

Brave plans to improve the feature in the future. One of the improvements will introduce the localhost permission prompt for all requests made to localhost resources. Brave Software may introduce this once it has come up with an easy to understand explanation that it can display to users whenever such access is observed.

Brave Software plans to release Brave 1.54 later this month.

Closing Words

Brave notes that other browsers, with the exception of Apple's Safari browser, are allowing localhost access at the time and do not include protections or a permissions system.

Now You: what is your take on this new feature of Brave Browser?
...

Continue Reading