The Brave browser will control how sites access local resources.
The developers of Brave have announced that their browser will soon get new functionality that will allow users to decide for themselves how long sites can access local resources. In fact, Brave will help fight sites that spy on visitors by scanning their open ports or abusing access to network resources, which can lead to the disclosure of personal information.
Starting with version 1.54, Brave will automatically block the port scanning that many websites do. The fact is that in recent years this dubious practice has been used on a variety of resources. According to this list, compiled in 2021 by researcher G666g1e, 744 sites scanned visitors' ports, most of which did so without prior notice or permission. The offending sites included eBay, Chick-fil-A, Best Buy, Kroger, and Macy's.
Additionally, sites often use a similar tactic, attempting to profile visitors in order to re-identify them each time they return (even if the cookies have been deleted in the process). By running scripts that access local resources on people's devices, sites can detect unique patterns in users' browsers.
For example, locally hosted resources may include images and files that web applications actually need to run on that device. But other local resources may include other devices, including NAS, locally hosted servers, shared network printer files, shared network device/computer data, and so on.
Sometimes sites have good reasons for accessing local resources, but more often than not, it's just a common misuse of this ability. For example, sites and local web applications often request access to local resources in order to fingerprint users and collect information about what software is running on the visitor's computer. Brave developers note that, in general, abuses of access to localhost resources are much more common than cases that benefit users.
Surprisingly, most browsers allow sites to access these local resources just as easily as they access other resources on the web.
The creators of Brave explain that almost all major modern browsers, including Chrome and Firefox, allow sites to request access to local resources and use them without restrictions. Safari blocks such requests, but this is a side effect of its defense mechanisms, and not a deliberate decision by the developers to stop this dangerous practice. To combat this issue, Brave will introduce localhost permissions.
Brave is the only browser that will block requests to access localhost resources from both secure and insecure public sites while maintaining compatibility for sites users trust, the Brave team promises. Starting with version 1.54 (current version 1.52), Brave for desktop and Android will come with more powerful features to control which sites can access local network resources and for how long.”
In addition to the new permission mechanism, Brave will use a filter list to block scripts and sites that abuse localhost access. The browser will also maintain and update a list of allowed trusted sites that will be allowed to prompt users to allow them access to local network resources on their first visit. Requests to localhost resources in the localhost context will still be made without special permissions.
