Cross-site scripting/Shield question


#1

I just read this article which talks about the risks of cross-site scripting attacks, how they work, and what types of attacks are used. It is the first time I’ve heard about cross-site scripting, and I think it would be important to mention on the Brave website.

I know that Brave has the ability to block scripts, but I think the feature is only available when browsing with ‘Shields Up’. Will a future Brave version have the ability to block scripts even when your Shield is down? Or is Brave currently able to block scripts with a shield down?


Currently, I have my Shield down on the websites I frequently browse so that I don’t have to re-login each time I visit the page. Is there a way to keep my Shield up for websites so that I’m not constantly required to re-login?

I know that I can go to into settings and enable cookies for sites if I still have Shields up. Will Brave add functionality to automatically enable cookies for websites with login information saved? That would make it a lot easier than manually going through each website I have passwords saved for.


Mystery of the broken message editor
#2

@cartercarlson, thanks for reaching out.
Good questions all around. I’m in the midst of writing a detailed support document for Shields and their functions so that users like you will have answers to questions like this.

For now, a brief explanation with respect to your post:
"Shields"
Out of the box, Brave allows you to block several types of content when browsing. Shields is used when referring to these built in protections as a whole. So when saying (for example) “I have my Shields Up”, what you’re really saying is “Brave’s built in protections are actively monitoring content as I browse.” Saying that “Shields are down” or “Shields Off” really means that none of Brave’s built in content protections/monitoring are active.

The content that Shields monitors is defined by how you configure your Shields. Shields has different content settings that can be adjusted to suit your browsing preference. We won’t go through them in detail right now, but the five main options are [Allow/Block/Block 3rd Party] Ads/Trackers, Cookies, Scripts, and Device Fingerprinting:

Defaults
When Brave is first installed, these options are configured to a default state. We have set the default state to be well rounded as far as protection goes, but also flexible for you to visit most sites without issue. You can find what your default Shields are set to by going to Settings --> Brave Shields Defaults or by clicking “Global Shield Defaults” seen at the bottom of the Shields panel (see image above). To cement this idea, remember that Unless manually adjusted (see next paragraph), any website visited (with “Shields Up”) will adhere to these settings.

Site Specific
However, there will inevitably be an issue with some site not displaying properly or some broken functionality that is most likely due to Shields blocking something needed/requested by a website. This is why we’ve included the Shields Panel in your URL bar:
image
:point_up: This is your best friend. This panel shows the Shields settings for the site that you’re currently on. You can confirm by looking at the domain name in the top section of the panel. If you’re looking right now, it should display community.brave.com.

Until you change these settings for any particular site, they will match your default Shields settings (recall that defaults are applied to all websites unless altered - this is why they match on first visit). Once you do alter these settings (site-specific - in the Shields panel) for a website, the configuration will be saved and persisted across browsing sessions. This way, you can configure your Shields settings for a specific site (using the panel) just once (ideally) and not have to touch them again next time you visit that domain.

Still with me? Excellent.
Now that we have a better understanding of Shields functionality and functionality, lets reexamine your question

If your Shields are “down” for a site, this means that Brave is not blocking or monitoring any of the applicable content while browsing the site (note that if your Shields are down for one site, they will be up for any other sites unless previously configured otherwise).

Answering your question: no, we won’t block scripts with Shields down because Shields must be active to achieve this. Instead, you would want to set Shields UP, change the Script blocking option to Block scripts, and alter the other options as needed (for example, if you only wanted to block scripts but allow everything else through (I wouldn’t advise this personally), you would set all other options to “Allow [cookies/ads/etc]”).

This is a tricky issue that we’re frequently adjusting for. Many websites will function/allow you to login while blocking 3rd party cookies (cookies embedded/requested from the site that aren’t coming from/implemented by the site itself - these would be “1st party cookies”). Login data, for example, generally uses a first party cookie (depending on how you authenticate, but that’s for another time).

Answering your question: Set your Shields options to reflect something that looks like the configuration in the image above. Ensure that you’re only blocking 3p cookies - this should solve most of your login issues with your frequented sites.

Phew, that was a doozy.
I hope this helps you with your problems and gives you stronger foundation on Shields and how they operate in the browser.
If you have any further questions please don’t hesitate to ask. Additionally, when you post next, please remember to read the Posting Guidelines.


#3

Wow, that was one hell of a response. Thank you for all of the help answers! I hope these answers helps others too.


#4

My pleasure! I’ll leave the topic open a while longer in case others have questions or comments to add.


#5