Brave blocking legitimate client-side script

Simonwijckmans · March 12, 2025, 1:32pm

Description of the issue:
Our script is being blocked by Brave suddenly. Our solution operates on proxy.cside.dev js.cside.dev and proxy.csidetm.com are both scripts meant to intercept client-side scripts for analysis against malicious client-side actions like data exfiltration, crypto mining, malware injection… We understand our script does not look like the usual chatbot script however it is legitimate and used by various sites to prevent malicious client-side executions. We noticed Brave blocked proxy.cside.dev however when turning off Brave Shield everything returns to normal working condition. Can you please update your records to allow our script to be fetched again? Simon Wijckmans CEO c/side
Steps to Reproduce (add as many as necessary): 1. 2. 3.
Visit cside.dev or looskie.com and notice the scripts not fetching
Actual Result (gifs and screenshots are welcome!):

Expected result:
Unblock our domains proxy.cside.dev js.cside.dev proxy.csidetm.com and cs.security (future use)
Reproduces how often:
100% of the time on js.cside.dev proxy.cside.dev

Operating System and Brave Version(See the About Brave page in the main menu):
All
Additional Information:
Reproduced on multiple devices

Simonwijckmans · March 12, 2025, 1:35pm

Related: Brave shield false positive

fanboynz · March 13, 2025, 10:32pm

github.com/easylist/easylist

easyprivacy/easyprivacy_thirdparty.txt

master


      
          ||pnekru6pxrum-a.akamaihd.net^
          ||pxlgnpgecom-a.akamaihd.net^
          ! fastly
          ||7q1z79gxsi.global.ssl.fastly.net^
          ||clarium.global.ssl.fastly.net^
          ||dfapvmql-q.global.ssl.fastly.net^
          ||fastly.net/i?
          ||fastly.net/sp.js
          ||vwonwkaqvq-a.global.ssl.fastly.net^
          ! CPU abuse
          ! https://publicwww.com/websites/%22cloudfront.net%2Fscript.js%22/
          ||cloudfront.net./script.js
          ||cloudfront.net/script.js
          ! Seals, Websecurity, Protection etc. Unnecessary third-party scripts
          ||antillephone.com^$third-party
          ||beyondsecurity.com^$third-party
          ||geotrust.com^$third-party
          ||gmo-cybersecurity.com/siteseal/$third-party
          ||guarantee-cdn.com^$third-party
          ||howsmyssl.com^$third-party
          ||js.trendmd.com^$script,subdocument,third-party

caused by:

! CPU abuse
! https://publicwww.com/websites/%22cloudfront.net%2Fscript.js%22/
||cloudfront.net./script.js
||cloudfront.net/script.js

Because of the CNAME:

 ;; ANSWER SECTION:
js.cside.dev.           300     IN      CNAME   d2442dnkbuc5yr.cloudfront.net.

It’ll pick this up.

Simonwijckmans · March 13, 2025, 10:39pm

Hi, thanks for your response.
So I refer to proxy.cside.dev as that is where our client-side script rewrites other scripts to.
The initial blocking is happening on js.cside.dev/script.js

We do referrer header validation to serve the correct client-side script for our customer so its normal to receive a host-header validation error on trying to access proxy.cside.dev or proxy.csidetm.com.

If I understand your response correct: because js.cside.dev/script’js points to a CNAME record of Cloudfront it is considered the same as cloudfront.net/script.js - am I correct?

If that is the case that would cause severe false positives as any file named script.js hosted on cloudfront would face the same issue. That does not make a ton of sense.

Simonwijckmans · March 13, 2025, 10:40pm

Feel free to check one of our sites that has this script present: https://looskie.com/

fanboynz · March 13, 2025, 10:42pm

As a test rename script.js to something else?

Simonwijckmans · March 13, 2025, 10:43pm

Our customer hard coded that script into their site, that is not a solution I’m afraid. Let me put Cloudflare in front of it so that you can’t trace the CNAME down to Cloudfront and see if that fixes it.

fanboynz · March 13, 2025, 10:45pm

Sure. This rule isn’t new btw.

Rule isn’t new, so been in Brave (and Easyprivacy) for some time. 2019.

Simonwijckmans · March 13, 2025, 10:47pm

Can you try on your end? Brave continues to resolve to the Cloudfront DNS record on the browser while a terminal dig is not showing Cloudfront on my end - not sure if there is some blocking cache or DNS cache I can’t clear.

Update: brave://net-internals/#dns

Fixed it by chucking Cloudflare in front of it.

Simonwijckmans · March 13, 2025, 10:51pm

Thanks for your help. If I may be a Karen for 2 seconds - thats a lazy rule by the threatfeed. They could have at least included the Cloudfront subdomain ID in that rule. Now no one on the entire internet can host a file named script.js on Cloudfront without it being blocked by Brave. That makes no sense, IMO that rule should be filtered out by Brave as being a low quality false positive prone rule.

fanboynz · March 13, 2025, 10:55pm

Looks good here.

couldfront.net/script.js a known abusive script. Seems wide ranging, and it is, very little issues from it. and Since Amazon allows these scripts to keep generating randomised sub domains, the only solution is to block this specific script.js https://publicwww.com/websites/"cloudfront.net%2Fscript.js"/

If Amazon ever decides to stop hosting malicious scripts, the rule will be reevaluated. But given its been 6 years I don’t hold any hope.

Simonwijckmans · March 13, 2025, 11:03pm

Its not specific at all though, if it was a script hash based block it would actually block the script but nothing is stopping the bad actor from moving to script2.js without changing the payload. If a bad actor put a malicious payload on index.html you wouldn’t block every Cloudfront bucket with an index.html on it either, you’d check the script payload. I also don’t think it makes sense that Brave is tracing down the DNS chain for such wide rules.

I wish everyone knew the name ‘script.js’ was doomed to use on a Cloudfront container but that sounds unrealistic. There are no alerts for that anywhere and I think its unfair to expect web developers to search Github for every filename they come up with whether it can trigger a super broadly written rule.

fanboynz · March 13, 2025, 11:07pm

Many bad actors; just a sample size. And we’re not writing specific subdomain blocks for each, although we have enough of these already.

https://dxj0czkqjyaab.cloudfront.net/script.js
https://d14pdm1b7fi5kh.cloudfront.net/script.js

system · April 12, 2025, 11:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Brave shield false positive Browser Support browser , ads-bug , ads	2	55	March 13, 2025
Brave identified and blocked by sites Ad-Blocking	7	587	September 17, 2022
Brave is blocking Plausible Analytics script Browser Support windows	3	1759	January 1, 2021
Question about Java Script and Script Blocking (Brave Shields) Desktop Support windows	1	236	June 9, 2024
Script blocking broken by release 1.46 Mobile Support ios	3	549	February 11, 2023
Scripts not blocked despite Shields settings set to block scripts Desktop Support macos	2	1683	June 2, 2023
Unable to unblock specific scripts Desktop Support windows	6	2776	February 23, 2022
Malvertising discovered on schaken mods that brave is not blocking Ad-Blocking performance , privacy , feedback , browser , ads	1	510	April 26, 2024

Brave blocking legitimate client-side script

Related topics