Some sites seems able to run scripts even when Block Scripts is on


#1

Brave: 1.4.2 (17.09.08.16)
Device: iPad Pro 12.9, iOS 11.0.2
(I think all iOS devices have this issue.)

I have Block Scripts enabled. However, it does’t seem to block scripts in all scenarios.

First, Google still shows interactive search suggestions. (Please see screen shots and steps to reproduce this below.)

Second, I also came across some sites (likely phishing sites) in the search results that are able to show alert / confirm dialog window or other things only possible with JavaScript. If I open the site in iOS Safari with JavaScript turned off, iOS Safari blocks these effects.

(Edited the original post to remove a link that probably no longer works. I will upload screen shots later, and update on ways to reproduce this part.)


#2

Try blocking the cookies. That should work.


#3

Will ccing @joel or @LaurenWags for this. :slight_smile:


#4

Re: interactive search suggestions

I figured out the exact steps to reproduce this part: JavaScript code for interactive search suggestions seems still running even when Block Scripts is enabled. It depends on the exact URL the user enters:

(1) http google dot com
(2) http www google dot com
(3) https google dot com
(4) https www dot google dot com

When Block Scripts is on, (1) and (3) still seem able to run scripts; it shows search suggestions and clicking the menu button on the top left corner brings out the menu. (2) and (4) shows no search suggestions and clicking the menu button has no effect.

I will upload screen shots below.


#5

Screen shots for (1)


#6

Screen shots for (1)

Redirected to https and www automatically


#7

Screen shots for (1)

Verifying that Block Scripts is ON


#8

Screen shots for (1)

The menu sliding out when the menu button on the top left corner (icon: three horizontal bars) is clicked:


#9

Screen shots for (1)

Google’s interactive search suggestions keep updating as the user enters more characters in the search bar:


#10

Screen shots for (4)

Enter the URL


#11

Screen shots for (4)

Unlike (1) and (2), it’s not redirected to another URL


#12

Screen shots for (4)

Verifying that Block Scripts in ON


#13

Screen shots for (4)

No interactive search suggestions as the user enters more characters in the search bar.

Clicking the menu button on the top left corner has no effect.


#14

Screen shots for (2) are essentially the same as those for (4). Screen shots for (3) are essentially the same as those for (1). Therefore, I won’t be uploading them. I am only allowed one image per reply.

I also have edited this message to replace URL with “dots.” For some reason "multiple community members flagged this message as spam.


#15

Thank you. I have uploads some screen shots and steps to reproduce the first part of the issue (JavaScript-enabled interactive search suggestions). To double check: Is this category the right place to report this issue?


#16

Screen shot for a site that is able to show a spinning wheel and a popup dialog box:

(Block Scripts is ON)


#17

Screen shot for a site that is showing a countdown in seconds:

(Again, Block Scripts is ON)


#18

Have you tried turning on script blocking on the global context (e.g. via the settings defaults)? The brave panel on the right is site specific, so if you turn it on for google.com, it will only be on for google.com.

The whole www.google.com vs google.com is due to www being a subdomain. If you are doing script blocking on a site by site basis (which it appears you are), then you will need to enable it for each subdomain as well. This may feel weird in the case of google.com, but may make more sense when considering “blog .somesite.com” or “subwebsite .parentwebsite.com”

Hope that adds some clarity. Again, try disabling scripts via the default settings and you should have a more universal experience.


#19

Yes, scripts are disabled globally in the default settings. I enabled Block Scripts globally in the default settings immediately after installing Brave and before doing any testing. The per site settings in the screen shots inherit from the global settings.


#20

I just tried it again on my iPhone to double check. Block Scripts was enabled right after Brave was installed and before any testing was done. HTTP Google dot com still seems able run scripts.