Cross-site scripting/Shield question

@cartercarlson, thanks for reaching out.
Good questions all around. I’m in the midst of writing a detailed support document for Shields and their functions so that users like you will have answers to questions like this.

For now, a brief explanation with respect to your post:


Out of the box, Brave allows you to block several types of content when browsing. Shields is used when referring to these built in protections as a whole. So when saying (for example) “I have my Shields Up”, what you’re really saying is “Brave’s built in protections are actively monitoring content as I browse.” Saying that “Shields are down” or “Shields Off” really means that none of Brave’s built in content protections/monitoring are active.

The content that Shields monitors is defined by how you configure your Shields. Shields has different content settings that can be adjusted to suit your browsing preference. We won’t go through them in detail right now, but the five main options are [Allow/Block/Block 3rd Party] Ads/Trackers, Cookies, Scripts, and Device Fingerprinting:


When Brave is first installed, these options are configured to a default state. We have set the default state to be well rounded as far as protection goes, but also flexible for you to visit most sites without issue. You can find what your default Shields are set to by going to Settings --> Brave Shields Defaults or by clicking “Global Shield Defaults” seen at the bottom of the Shields panel (see image above). To cement this idea, remember that Unless manually adjusted (see next paragraph), any website visited (with “Shields Up”) will adhere to these settings.


However, there will inevitably be an issue with some site not displaying properly or some broken functionality that is most likely due to Shields blocking something needed/requested by a website. This is why we’ve included the Shields Panel in your URL bar:
:point_up: This is your best friend. This panel shows the Shields settings for the site that you’re currently on. You can confirm by looking at the domain name in the top section of the panel. If you’re looking right now, it should display

Until you change these settings for any particular site, they will match your default Shields settings (recall that defaults are applied to all websites unless altered - this is why they match on first visit). Once you do alter these settings (site-specific - in the Shields panel) for a website, the configuration will be saved and persisted across browsing sessions. This way, you can configure your Shields settings for a specific site (using the panel) just once (ideally) and not have to touch them again next time you visit that domain.

Still with me? Excellent.
Now that we have a better understanding of Shields functionality and functionality, lets reexamine your question

If your Shields are “down” for a site, this means that Brave is not blocking or monitoring any of the applicable content while browsing the site (note that if your Shields are down for one site, they will be up for any other sites unless previously configured otherwise).

Answering your question

No, we won’t block scripts with Shields down because Shields must be active to achieve this. Instead, you would want to set Shields UP, change the Script blocking option to Block scripts, and alter the other options as needed (for example, if you only wanted to block scripts but allow everything else through (I wouldn’t advise this personally), you would set all other options to “Allow [cookies/ads/etc]”).

This is a tricky issue that we’re frequently adjusting for. Many websites will function/allow you to login while blocking 3rd party cookies (cookies embedded/requested from the site that aren’t coming from/implemented by the site itself - these would be “1st party cookies”). Login data, for example, generally uses a first party cookie (depending on how you authenticate, but that’s for another time).

Further answering your question

Set your Shields options to reflect something that looks like the configuration in the image above. Ensure that you’re only blocking 3p cookies - this should solve most of your login issues with your frequented sites.

Phew, that was a doozy.
I hope this helps you with your problems and gives you stronger foundation on Shields and how they operate in the browser.
If you have any further questions please don’t hesitate to ask. Additionally, when you post next, please remember to read the Posting Guidelines.

1 Like