Tracking and fingerprinting protection seems to be failing

Description of the issue:
Hi. I’ve set trackers and ad blocking to aggressive, fingerprinting blocking to strict. Cookie blocking is “only cross-sites”. I’ve turned off all of Google login button and embedded social media.

So I’m experimenting. I log in to google.com with a Google account. Then I go to youtube.com . Immediately on YouTube, I’m automatically logged in to the Google account.

Also on some other websites not owned by Google, I can still “sign in with Google” with a Google login button, and with one click it succeeds.

Either I’m misunderstanding Brave, or it’s malfunctioning? With my settings, even though I have a tab logged into google.com, other tabs with youtube.com, and any different domain will not be able to see the login cookie stored by google dot com, and will also think I have a different browser fingerprint, right? So there should be no way to recognize my Google account. Yet I’m still automatically logged in on YouTube, and can one-click login w/ Google on other domains.

Steps to Reproduce (add as many as necessary): 1. 2. 3.
Already described.

Actual Result (gifs and screenshots are welcome!):
Already described.

Expected result:
I expected youtube dot com to not be able to automatically log me in. I expected that I won’t be able to login with Google on other domains.

Reproduces how often:
Every time.

Operating System and Brave Version(See the About Brave page in the main menu):
Linux, Brave V1.18.75

Additional Information:
Please enlighten me.

Google’s login system is pretty confusing. There are two separate things going on here:

  1. When you log into a Google service, say GMail, you go to accounts.google.com and then as part of the login flow, they create a cookie for google.com but also for youtube.com via a redirection. That way they log you into both at once.

  2. Signing in with Google SSO on non-Google websites can be done in many different ways. Some of those flows require a third-party cookie exception (that’s basically what the Brave setting toggles ON/OFF) but other flows work fine without those cookies.

Regarding the first point, I’m with you, I’d love to be able to be logged in to say my work Google calendar without browsing YouTube under my work identity. The best way to do that is to open YouTube in a private window.

The second point explains why you are able to login with Google on some sites even when you turn off the option.

3 Likes

Great response, thank you!