Security: Why does Brave (or Chromium or Google Chrome) want to accept incoming connections?

Why does Brave (or Chromium or Google Chrome) want to accept incoming connections? (A pointer to the relevant browser source/component handling incoming connections would be helpful.)
I searched (googling and Brave content searches for “incoming”) and only found places where this question was asked re a related browser, and even then, find no answers. Most notably:

  1. On r/chrome : Do_you_want_google_chrome_to_accept_incoming connections - very detailed ask, with results of their googling, screen shots, (platform (also MacOS)), logs… by u/tomihasa
  2. Here on support.google.com with 5 upvotes, but locked and 0 replies. (Similar thread. Commiseration, but no answers; locked.)

How can this issue be reproduced?

  1. Launch Brave for the first time.
  2. See query.

Expected result:
Inform users why this is wanted before asking for it (preferably in-app, but at least in documentation or here.)
Brave Version:
[Version 1.10.97 Chromium: 83.0.4103.116 (Official Build) (64-bit)]
Additional Information:
I read this might be related to notifications, depending on how they’re implemented. (Are they? In the most secure kind of implementation, are these needed? And assuming they are, what else are incoming connections used for by Brave?)
A pointer to the relevant source/component handling incoming connections would be helpful.

Digging further, I found some somewhat useful info in a 2014(!) Wired article which led me to notice in Brave:

  • a “Use Google Services for Push Messaging” setting (more mystery).

  • It looks like sandboxed plugins are always allowed. (!!!???)

I’ve also seen these and blocked them in my firewall in both Chrome and Brave, with no loss of functionality AFAICT. Do you have any Google WiFi or Google Nest devices in your vicinity? I noticed in Little Snitch that the incoming requests were all from 192.168.86.x on port 5353 (mdns). https://support.google.com/googlenest/thread/29621580?hl=en suggests this is the range for google nest devices.

2 Likes

Nope, nope - unless you count a Google Home speaker.
IIRC, I see the prompt if I go to a website that wants to ask me to accept Notifications. Which are rarely welcome, but occasionally are.
I don’t think it’s just Chromium-based browsers that want to accept incoming connections, but as I recall, it is a relatively new thing. Could be for interacting with media players, and other computers/phones/tablets, automation, media casting, website notifications, and more I’m not thinking of.

https://bugs.chromium.org/p/chromium/issues/detail?id=859359 suggests the mdns connections could also be Cloud Print or chromecast. Either way, I’d say just disable incoming connections in your firewall if you don’t use this functionality.

2 Likes

Thanks, that’s been a helpful lead.

It would be good marketing, documentation, support, security practice and ethics if a full list of uses/features it enables were provided. (This is true for all browsers with a built-in server.)

Currently, Handoff from Brave isn’t working, and I wonder if this has anything to do with it. Probably not (surely the OS handles that!) but I’m left wondering.