Permissioning access to localhost connections

ShivanKaul commented 1 year ago

Similar to https://github.com/brave/brave-browser/issues/26273, we'd like to add a new site permission called Localhost connections. There are several legitimate use-cases that involve the website asking for access to localhost e.g. a localhost-based websocket.

Currently we block all localhost connections via Adblock, but allowlist some in brave-specific.txt.

We will be able to safely add exceptions to the localhost-blocking adblock rules, once we have this. NOTE: we still want adblock rules to apply before applying this permission. After this permission is added to Brave, in order for a site to have access to localhost resources, it still needs to do 2 things:

It needs to be allowlisted in brave-specific.txt.
The user needs to click Allow in the permission prompt.

NOTE: we only permission/block requests based on the URL, not the resolved IP address. This will be addressed in a follow-up: https://github.com/brave/brave-browser/issues/30038

Functionality:

Create new permission/content setting called Localhost Access.
Apply adblock filter rules as normal.
Detect if a request is from a valid non-localhost requesting origin for a subresource that looks like a localhost resource.
If current permission status is DENY, cancel the request (net:: ERR_ACCESS_DENIED).
If current permission status is ALLOW, allow the request (net::OK).
If current permission status is ASK, cancel the request (net:: ERR_ACCESS_DENIED), and show permission prompt.
If permission granted, reload the tab. Now the permission status will be ALLOW, and the user will not get re-prompted for localhost subresource requests.

nacmonad commented 1 year ago

Hi are there plans to implement this?

ShivanKaul commented 1 year ago

Working on a PR right now. If folks have test websites that don't currently work on Brave, please drop them here, would help a lot with smoke testing.

CharlieGreenman commented 1 year ago

@ShivanKaul if interested razroo.com x razroo vscode plugin(https://marketplace.visualstudio.com/items?itemName=Razroo.razroo-vscode-plugin) is a good example(will need to sign up/sign into razroo in order to use). We spin up a local server/localhost in the vscode plugin and pass information directly from web to local vscode plugin. It works on chrome, and edge, but not on brave for I believe this reason. If authentication works with vscode plugin, it means officially fixed.

ShivanKaul commented 1 year ago

Cool, that seems to work well on my local feature branch for this issue. This is the experience:

https://user-images.githubusercontent.com/5284154/220427702-b3cb09db-f848-4f02-905f-3a71ed1557b7.mov

CharlieGreenman commented 1 year ago

cool that means it should be working as expected. Prior brave users were unable to authenticate. Thank you

ShivanKaul commented 1 year ago

Thanks for the use-case! Helps a lot. If others have ones too, that would help get this out faster because we'd be surer we're not breaking things.

nacmonad commented 1 year ago

Thanks for the use-case! Helps a lot. If others have ones too, that would help get this out faster because we'd be surer we're not breaking things.

Is there a dev branch I can check out? I am running into this issue presently, but the software is proprietary/beta...

CharlieGreenman commented 1 year ago

@nacmonad just to confirm is that question directed to me or @ShivanKaul

CharlieGreenman commented 1 year ago

🚀

ShivanKaul commented 1 year ago

This feature has been merged in for both Desktop and Android but is default-disabled while we work on a better way of shipping which websites should be allowed to request permission.

CharlieGreenman commented 1 year ago

@ShivanKaul why not allow users to decide that on their own?

ShivanKaul commented 1 year ago

There is a very real danger of port-scanning attacks to fingerprint users which is why we'd blocked localhost connections in the first place. We want to prevent those websites from being able to spam users with permission prompts, which has an additional danger of training users to say yes to dangerous actions that they may not understand the significance of while they're just trying to get work done in the browser (which is why Brave disables Filesystem API, for instance).

@CharlieGreenman the razroo auth use-case you brought up seems legitimate. We will add that to the initial list when we roll it out.

CharlieGreenman commented 1 year ago

Thank you. It goes without saying my thanks as always

MicahZoltu commented 1 year ago

default-disabled while we work on a better way of shipping which websites should be allowed to request permission.

I'm generally not a fan of a whitelist (which it sounds like you are suggesting), as that seems fairly antithetical to the idea of a "decentralized and permissionless internet". Could you solve the spam problem similar to how Firefox (and maybe Brave too) solves the alert popup and new tab spam problem with a dialog that asks if you want to let the site continue to prompt you?

It seems that the same technique as mic/camera/notification access could be used, where the page asks for permission to access other services running on your device and you can accept, reject, and reject with prejudice (never ask again for this site).

ShivanKaul commented 1 year ago

The issue is not one particular website doing it (Brave has finer-grained permission scope and lifetime than other browsers), but multiple websites prompting for the localhost permission. Port-scanning fingerprinting attacks are very common and easy [1], [2].

Our general stance has been that Web APIs too harmful for user privacy should be disabled without a permission prompt, because users cannot meaningfully consent to them. In the case of localhost connections, it seems like there are some benign use-cases, so we're experimenting with selectively allowing them.

MicahZoltu commented 1 year ago

Perhaps I'm misunderstanding. How would you selectively allow some use cases without doing specific website whitelisting? Are you thinking of allowing some subset of ports or protocols or something when communicating with localhost, while disallowing port scanning? Or perhaps constrain how many ports a given website can attempt to query locally before they get locked out from querying any additional ports?

ShivanKaul commented 1 year ago

We will be allowing only specific websites to ask for this permission.

MicahZoltu commented 1 year ago

I don't think that a permissioned/gatekept web is an appropriate solution for this. Even though I want this feature, I think permissioning it is a strictly worse solution than not having it at all because it allows large companies to create moats around their exclusive access to browser features and it reduces the impetus and pressure for the Brave team to find a solution that works for everyone.

As a user and a web/extension developer, Brave implementing a permissioned web in their browser is a huge turnoff for me. I generally like Brave's position on security, privacy, and censorship resistance, but if you all start permissioning/censoring the web it will result in massive negative marks in my internal browser scoring rubric.

ShivanKaul commented 1 year ago

Just to clarify, there will be a way for a user to override which websites get this permission by going to the permission setting page: brave://settings/content/localhostAccess. This is just how Chromium permissions work.

This is part of the enhancement we're exploring -- currently adblocking happens first, so requests are blocked before they get to the permissioning code, but we're working on changing that because we'd like to decouple localhost blocking from adblocking. Details TBD.

ShivanKaul commented 1 year ago

But there will be a default list of websites that can ask for this permission.

MicahZoltu commented 1 year ago

If users can add sites to the whitelist then I think that mitigates a lot of my concerns. I'm not a huge fan of having a built-in whitelist as it gives preferential treatment to "friends of Brave" (or people who can afford the registration costs, or people who KYC, or people who go through some bureaucratic process or whatever).

Will it be possible to have certain localhost resources made available to all websites? For example, if I am running a local Ethereum client or IPFS client, I would like any website to be able to probe for and access those. A website might first probe to see if I have IPFS running locally and if so use that (which I would prefer) then fallback to a central server (same for Ethereum client). I don't want to have to whitelist every website that wants to use these resources as they are intended to made available to web apps.

In this scenario, I would still be fine with getting a prompt "This website wants to access your Ethereum client: Allow, Deny", but I wouldn't want to have to add every single website to the whitelist by hand, and I also wouldn't necessarily want to give every website full unrestricted access to all localhost resources (only a couple that I have intended to make available as part of a suite of decentralized web tools).

stephendonner commented 1 year ago

Verification `PASSED` using

Brave	1.52.86 Chromium: 113.0.5672.77 (Official Build) beta (x86_64)
Revision	c4236862955e005c2187105415ac4a2ecf86dff1-refs/branch-heads/5672_62@{#3}
OS	macOS Version 13.4 (Build 22F5059b)

Prerequisites:

1. created a directory `tests`, at `/Users/stephendonner/Desktop/tests` 2. dropped a `logo.png` image into `/tests` 3. ran `python3 -m http.server 8000` from `/tests`: ``` stephendonner@Stephens-MBP Desktop % cd tests stephendonner@Stephens-MBP tests % python3 -m http.server 8000 ```

Shared Steps:

1. installed `1.52.86` 5. launched Brave 6. opened `brave://flags` 7. set `brave://flags/#brave-localhost-access-permission` to `Enabled` 8. clicked `Relaunch` 9. opened `brave://adblock` 10. scrolled to `Create custom filters` 11. entered `@@||localhost^$domain=shivankaul.com` 12. clicked `Save changes` 13. loaded `https://shivankaul.com/brave/localhost/` `brave://adblock` | `brave://flags` ---------------|----------------- Screen Shot 2023-05-07 at 3 07 10 PM

|

Case 1: Subresource image test - `PASSED`

### `Allow` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/subresource.html` 2. confirmed I got the permission prompt 3. clicked `Allow` 5. opened `brave://settings/content/localhostAccess` 6. confirmed the site was listed under `Allowed to access localhost resources` ### Confirmed `logo.png` rendered permission dialog | `Allow`ed | `brave://settings/content/localhostAccess` ------------------|------------|------------------------------------------ Screen Shot 2023-05-07 at 2 11 58 PM

|

|

### `Block` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/subresource.html` 2. confirmed I got the permission prompt 3. clicked `Block` 4. opened `brave://settings/content/localhostAccess` 5. confirmed the site was listed under `Not allowed to access localhost resources` ### Confirmed `logo.png` was blocked, and a broken-image icon displayed `Block`ed | `brave://settings/content/localhostAccess` -----------|------------------------------------------- Screen Shot 2023-05-07 at 2 50 37 PM

|

Case 2: Service worker test - `PASSED`

### `Allow` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/sw.html` 2. clicked `Allow` 3. opened `brave://settings/content/localhostAccess` 4. confirmed the site was listed under `Allowed to access localhost resources` ### Confirmed `logo.png` rendered permission dialog | `Allow`ed | `brave://settings/content/localhostAccess` ------------------|------------|------------------------------------------ Screen Shot 2023-05-07 at 3 10 40 PM

|

|

### `Block` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/sw.html` 2. clicked `Block` 3. opened `brave://settings/content/localhostAccess` 4. confirmed the site was listed under `Not allowed to access localhost resources` ### Confirmed `logo.png` was blocked, and a broken-image icon displayed `Block`ed | `brave://settings/content/localhostAccess` -----------|------------------------------------------- Screen Shot 2023-05-07 at 3 18 23 PM

|

Case 3: Websockets test - `PASSED`

Prerequisites: * installed `Node.js` * ran `npm install ws` * ran `node ws_server.js` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/` 2. clicked on `websockets test page` (`https://shivankaul.com/brave/localhost/ws_client.html`) 3. waited 5 seconds for the redirect to happen 4. opened the `Developer` console 5. confirmed message `ping from server` 6. confirmed message `pong from client` in my `node` terminal 7. loaded `brave://settings/content/localhostAccess` 8. confirmed site entry was added to `Allowed to access localhost resources` ### `Allow` permission dialog | `Allow`ed | `pong from client!` | `brave://settings/content/localhostAccess` ------------------|------------|--------------------|------------------------------------------ Screen Shot 2023-05-08 at 8 47 51 AM

|

|

|

### `Block` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/` 2. clicked on `websockets test page` (`https://shivankaul.com/brave/localhost/ws_client.html`) 3. waited 5 seconds for the redirect to happen 4. opened the `Developer` console 5. clicked `Block` 6. opened `brave://settings/content/localhostAccess` 9. confirmed site entry was added to `Not allowed to access localhost resources` `Block`ed | `brave://settings/content/localhostAccess` -----------|------------------------------------------ Screen Shot 2023-05-08 at 9 05 04 AM

|

Case 4: Request in test - <code>PASSED</code></h3> <details> ### `Allow` (continued from `Shared Steps`) 1. load `https://shivankaul.com/brave/localhost/` 10. clicked on `request in iframe test page` (`https://shivankaul.com/brave/localhost/iframe.html`) 11. waited 5 seconds for the redirect to happen 12. clicked `Allow` 13. confirmed my `logo.png` image was loaded and rendered 14. (now a 5-second timer in the iframe kicks in, and replaces the image) 15. opened `brave://settings/content/localhostAccess` 16. confirmed site entry in `Allowed to access localhost resources` step 1-2 | step 3 | step 4 | step 5 | step 6 | `brave://settings/content/localhostAccess` -----|-----|------|------|-----|------- <img width="1312" alt="Screen Shot 2023-05-08 at 1 23 36 PM" src="https://user-images.githubusercontent.com/387249/236927517-01719b16-70b0-482f-8814-98b459791736.png"> | <img width="1312" alt="Screen Shot 2023-05-08 at 1 23 40 PM" src="https://user-images.githubusercontent.com/387249/236927521-e0034ddb-6b2e-4b05-987d-2d229fb4af02.png"> | <img width="1312" alt="Screen Shot 2023-05-08 at 1 23 46 PM" src="https://user-images.githubusercontent.com/387249/236927525-e38418df-6a4b-40cd-9683-26fe33e43bc5.png"> | <img width="1312" alt="Screen Shot 2023-05-08 at 1 23 50 PM" src="https://user-images.githubusercontent.com/387249/236927527-8ec7333f-cde1-484e-ac7f-42641a742af5.png"> | <img width="1312" alt="Screen Shot 2023-05-08 at 1 23 59 PM" src="https://user-images.githubusercontent.com/387249/236927529-41747bcd-39e7-4561-9875-f86eb5f5a06d.png"> | <img width="1312" alt="Screen Shot 2023-05-08 at 1 32 35 PM" src="https://user-images.githubusercontent.com/387249/236928725-9711f6fc-844d-47c3-a14e-ccbe9294cc8b.png"> ### `Block` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/` 2. clicked on request in iframe test page (`https://shivankaul.com/brave/localhost/iframe.html`) 3. waited 5 seconds for the redirect to happen 4. clicked `Block` 7. waited 8. opened `brave://settings/content/localhostAccess` 9. confirmed site entry in `Not allowed to access localhost resources` ### Confirmed `logo.png` did not load nor render step 1-2 | step 4 | step 5 | `brave://settings/content/localhostAccess` ---------|------|---------|------------------------------------------- <img width="1939" alt="Screen Shot 2023-05-08 at 1 42 59 PM" src="https://user-images.githubusercontent.com/387249/236931104-4c670f3f-3c54-4394-8dfd-8118f5223bf8.png"> | <img width="1939" alt="Screen Shot 2023-05-08 at 1 46 29 PM" src="https://user-images.githubusercontent.com/387249/236931786-c52f8e3f-a44c-4086-868b-c0df191683a7.png"> | <img width="1939" alt="Screen Shot 2023-05-08 at 1 43 04 PM" src="https://user-images.githubusercontent.com/387249/236932132-1df10518-2757-4032-89e8-cceed3c52fc3.png"> | <img width="1939" alt="Screen Shot 2023-05-08 at 1 43 22 PM" src="https://user-images.githubusercontent.com/387249/236931627-c8b06a9e-f9e5-4a4d-a5cf-f68098957652.png"> </details> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ShivanKaul"><img src="https://avatars.githubusercontent.com/u/5284154?v=4" />ShivanKaul</a> commented <strong> 1 year ago</strong> </div> <div class="markdown-body"> <blockquote> <p>I'm not a huge fan of having a built-in whitelist as it gives preferential treatment to "friends of Brave" (or people who can afford the registration costs, or people who KYC, or people who go through some bureaucratic process or whatever).</p> </blockquote> <p>I'm not sure what the point being made here is, but to give a closely-related example, Brave <a href="https://www.usenix.org/conference/pepr22/presentation/sahib">heavily contributes to adblock filter list development</a> and maintenance and part of that work is figuring out what network requests are safe or otherwise in the interest of the user (across all adblockers, not just Brave), and which ones are not. We're going through open GitHub issues right now to collect use-cases we can now enable with this feature. We always offer a way for users to add their own lists/rules for adblock, and similarly here, we will offer a way for users to add which websites they consider safe to access localhost resources.</p> <blockquote> <p>Will it be possible to have certain localhost resources made available to all websites?</p> </blockquote> <p>Can you create a new issue for this? We can discuss it there. </p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/MicahZoltu"><img src="https://avatars.githubusercontent.com/u/886059?v=4" />MicahZoltu</a> commented <strong> 1 year ago</strong> </div> <div class="markdown-body"> <p>I opened #30181 for discussing specific localhost resources being made globally available for permission requests.</p> <blockquote> <p>I'm not sure what the point being made here is, but to give a closely-related example, Brave <a href="https://www.usenix.org/conference/pepr22/presentation/sahib">heavily contributes to adblock filter list development</a> and maintenance and part of that work is figuring out what network requests are safe or otherwise in the interest of the user (across all adblockers, not just Brave), and which ones are not. We're going through open GitHub issues right now to collect use-cases we can now enable with this feature. We always offer a way for users to add their own lists/rules for adblock, and similarly here, we will offer a way for users to add which websites they consider safe to access localhost resources.</p> </blockquote> <p>The broad point I think is that the failure mode of blacklists is quite different from the failure mode of whitelists. If Brave is unable to keep up with demand for adding things to a blacklist, then users are not protected as well but new websites aren't prevented from being able to do everything that existing websites do. If Brave is unable to keep up with demand for whitelist additions, then new websites will not be able to do everything that existing websites do.</p> <p>IMO, this difference of failure modes is quite significant because a blacklist leaves the web open by default while a whitelist leaves the web closed by default. I believe that it is important that the web remain open and decentralized by default, with things like AdBlock adding exceptions to the "open by default" rule rather than the other way around.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/MadhaviSeelam"><img src="https://avatars.githubusercontent.com/u/98358127?v=4" />MadhaviSeelam</a> commented <strong> 1 year ago</strong> </div> <div class="markdown-body"> <p>Verification <code>PASSED</code> using</p> <pre><code>Brave | 1.52.91 Chromium: 113.0.5672.77 (Official Build) beta (64-bit) -- | -- Revision | c4236862955e005c2187105415ac4a2ecf86dff1-refs/branch-heads/5672_62@{#3} OS | Windows 11 Version 22H2 (Build 22621.1555)</code></pre> <h3>Prerequisites:</h3> <details> 1. created a directory `tests`, at `/Users/mseelam/Documents/tests` 2. dropped a `logo.png` image into `/tests` 3. ran `python3 -m http.server 8000` from `/tests`: ``` C:\Users\mseel\Documents\tests>python3 -m http.server 8000 Serving HTTP on :: port 8000 (http://[::]:8000/) ... ``` </details> <h3>Shared Steps:</h3> <details> 1. installed `1.52.91` 5. launched Brave 6. opened `brave://flags` 7. set `#brave-localhost-access-permission` to `Enabled` 8. clicked `Relaunch` 9. opened `brave://adblock` 10. scrolled to `Create custom filters` 11. entered `@@||localhost^$domain=shivankaul.com` 12. clicked `Save changes` 13. loaded `https://shivankaul.com/brave/localhost/` `brave://adblock` | `brave://flags` ---------------|----------------- ![image](https://user-images.githubusercontent.com/98358127/236964108-c27b10f7-35dc-46dc-b02d-a791ded81dcc.png)| ![image](https://user-images.githubusercontent.com/98358127/236964034-dc2b9794-170a-40a6-9ccd-2861ce836f21.png) </details> <h3>Case 1: Subresource image test - <code>PASSED</code></h3> <details> ### `Allow` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/subresource.html` 2. confirmed I got the permission prompt 3. clicked `Allow` 4. opened `brave://settings/content/localhostAccess` 5. confirmed the site was listed under `Allowed to access localhost resources` 6. `Localhost Access` permissions show `Allow` under brave://settings/content/siteDetails?site=https%3A%2F%2Fshivankaul.com%3A443 ### Confirmed `logo.png` rendered `step 2` | `step 3` | `step 4` | `step 6` -----------|------|--------|------------ <image width="500" alt="image" src="https://user-images.githubusercontent.com/98358127/236964438-a3cb42ca-807c-4c94-a6bb-f1203e7b0221.png">|<image width="500" alt="image" src="https://user-images.githubusercontent.com/98358127/236964542-5d674307-5d8d-45df-aac5-3acbcf82e646.png">|<image width="500" alt="image" src="https://user-images.githubusercontent.com/98358127/236964598-6145cf69-95d2-4625-aec8-c1a0695acc13.png">|<image width="500" alt="image" src="https://user-images.githubusercontent.com/98358127/236964724-3b9c56b3-9419-4d8e-bc81-58074cf42f36.png"> ### `Block` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/subresource.html` 2. confirmed I got the permission prompt 3. clicked `Block` 4. opened `brave://settings/content/localhostAccess` 5. confirmed the site was listed under `Not allowed to access localhost resources` 6. `Localhost Access` permissions show `Block` under brave://settings/content/siteDetails?site=https%3A%2F%2Fshivankaul.com%3A443 ### Confirmed `logo.png` was blocked, and a broken-image icon displayed step 2 | step 3 | step 5 | step 6 -----|------|-------|------ <image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/2cf5f027-4744-4548-91b1-5a3fe7e572d1">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/1bfac7cc-5839-4cc6-8e04-171526aef51d">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/f365362c-0533-4672-93a3-5fe1f6337c7b">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/51f89059-7a09-4051-a915-28ada46beaa5">| </details> <h3>Case 2: Service worker test - <code>PASSED</code></h3> <details> ### `Allow` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/sw.html` 2. clicked `Allow` on the Permission Prompt 3. opened `brave://settings/content/localhostAccess` 4. confirmed the site was listed under `Allowed to access localhost resources` 5. `Localhost Access` permissions show `Allow` under brave://settings/content/siteDetails?site=https%3A%2F%2Fshivankaul.com%3A443 ### Confirmed `logo.png` rendered step 2 | result | step 4 | step 5 -----|------|-------|------ <image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/f87f528a-76eb-40bb-9174-16ad94007303">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/aa44dd3e-f01d-4d82-bb10-ce13fbe86646">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/92614a71-cbf9-451d-967f-c607cfd8d6dc">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/58a30da7-b08c-432d-9b34-d200ad25831b"> ### `Block` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/sw.html` 2. clicked `Block` 3. opened `brave://settings/content/localhostAccess` 4. confirmed the site was listed under `Not allowed to access localhost resources` ### Confirmed `logo.png` was blocked, and a broken-image icon displayed with a new profile `Block`ed | `brave://settings/content/localhostAccess` -----------|------------------------------------------- ![image](https://github.com/brave/brave-browser/assets/98358127/4a128469-710a-4ec3-ac62-3e19b3d7577b)|![image](https://github.com/brave/brave-browser/assets/98358127/96d4fdb1-1b6a-4ece-9da0-26b5ad728252) Note: For existing profile, i.e from `Allow` case above (previous testcase) where I close the tab and reopen the page in a new tab, permission prompt is not shown. since the service worker persists, unregister the existing service worker in the Application tab of Dev console and reload the page to show the permission prompt example | example ---- | ---- ![image](https://github.com/brave/brave-browser/assets/98358127/683b9d5c-23da-4011-be87-00632411a5a8)|![image](https://github.com/brave/brave-browser/assets/98358127/0a05bc7e-56b1-4549-9bfe-305ddd07d333) </details> <h3>Case 3: Websockets test - <code>PASSED</code></h3> <details> Prerequisites: * installed `Node.js` * ran `npm install ws` * add js file to local directory (https://shivankaul.com/brave/localhost/ws_server.js) * ran `node ws_server.js` ### `Allow` (continued from `Shared Steps`) 1. loaded `np` 2. clicked on `websockets test page` (`https://shivankaul.com/brave/localhost/ws_client.html`) 3. waited 5 seconds for the redirect to happen 4. opened the `Developer` console 5. confirmed message `ping from server` 6. confirmed message `pong from client` in my `node` terminal 7. loaded `brave://settings/content/localhostAccess` 8. confirmed site entry was added to `Allowed to access localhost resources` permission dialog | `Allow`ed | `pong from client!` | `brave://settings/content/localhostAccess` ------------------|------------|--------------------|------------------------------------------ <image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/abc053cc-640d-4ebf-a934-9448353a5bc4">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/2cd9728b-aa34-4c5f-8edf-c36b6491c433">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/58ef9d68-2556-4225-bcdb-3c66620dbeff">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/2caea8bd-859d-472b-a6ed-30f8b9ea2f7c"> ### `Block` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/` 2. clicked on `websockets test page` (`https://shivankaul.com/brave/localhost/ws_client.html`) 3. waited 5 seconds for the redirect to happen 4. opened the `Developer` console 5. clicked `Block` 6. opened `brave://settings/content/localhostAccess` 7. confirmed site entry was added to `Not allowed to access localhost resources` permission dialog | `Block`ed | `brave://settings/content/localhostAccess` -----------|-----------------------|------------------- <image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/6d065af2-9112-41ff-a129-9b1d406e4dac">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/356598ee-7426-4080-9483-814f215af8e5">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/55196ed3-b671-4975-b080-efeb6b3fa914"> </details> <h3>Case 4: Request in <iframe> test - <code>PASSED</code></h3> <details> Pre-requisites: ran `python3 -m http.server 8000` from `/tests`: ### `Allow` (continued from `Shared Steps`) 1. load `https://shivankaul.com/brave/localhost/` 2. clicked on `request in iframe test page` (`https://shivankaul.com/brave/localhost/iframe.html`) 3. waited 5 seconds for the redirect to happen 4. clicked `Allow` 5. confirmed my `logo.png` image was loaded and rendered 6. (now a 5-second timer in the iframe kicks in, and replaces the image) 7. opened `brave://settings/content/localhostAccess` 8. confirmed site entry in `Allowed to access localhost resources` 9. Image will not be replaced and existing on the page step 1-2 | step 3 | step 4 | step 5 | step 6 | `brave://settings/content/localhostAccess` -----|-----|------|------|-----|------- <image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/eb481351-8597-48c6-9ff7-136b8bcaaaf0">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/ac3dc93d-0305-4f01-9055-d3ebddab4a56">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/718b536b-6613-432c-a1a0-6ad6fe551871">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/b896cf02-52c4-4b05-9031-5e9b41e07acd">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/cdaaf448-303c-4e53-a36a-579d5d925bf7">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/f9fecfd6-cae2-4e54-af7b-d05a3e96ba10"> ### `Block` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/` 2. clicked on request in iframe test page (`https://shivankaul.com/brave/localhost/iframe.html`) 3. waited 5 seconds for the redirect to happen 4. clicked `Block` 5. waited 6. opened `brave://settings/content/localhostAccess` 7. confirmed site entry in `Not allowed to access localhost resources` ### Confirmed `logo.png` did not load nor render step 1-2 | step 4 | step 5 |`brave://settings/content/localhostAccess` ---------|------|---------|------------------------------------------- <image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/eb481351-8597-48c6-9ff7-136b8bcaaaf0">| <image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/5dd6b916-bd54-4cee-8abe-e1cb0cd119e4">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/a0277e95-6a0d-46c2-9fd7-3fa065d20c1d">|<image width="500" alt="image" src="https://github.com/brave/brave-browser/assets/98358127/11cb03c5-1a6b-4038-8658-5c47e17f0322"> </details> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/stephendonner"><img src="https://avatars.githubusercontent.com/u/387249?v=4" />stephendonner</a> commented <strong> 1 year ago</strong> </div> <div class="markdown-body"> <h2>Verification <code>PASSED</code> using</h2> <pre><code>Brave 1.52.109 Chromium: 114.0.5735.26 (Official Build) beta (64-bit) Revision 7075cbb66f0542ac3e01ddfde6b813e7d61118a5-refs/branch-heads/5735@{#454} OS Linux</code></pre> <h3>Prerequisites:</h3> <details> 1. created a directory `tests`, at `home/stephenedonner/tests` 2. dropped a `logo.png` image into `/tests` 3. ran `python3 -m http.server 8000` from `/tests`: ``` % cd tests % python3 -m http.server 8000 ``` </details> <h3>Shared Steps:</h3> <details> 1. installed `1.52.86` 5. launched Brave 6. opened `brave://flags` 7. set `brave://flags/#brave-localhost-access-permission` to `Enabled` 8. clicked `Relaunch` 9. opened `brave://adblock` 10. scrolled to `Create custom filters` 11. entered `@@||localhost^$domain=shivankaul.com` 12. clicked `Save changes` 13. loaded `https://shivankaul.com/brave/localhost/` `brave://adblock` | `brave://flags` ---------------|----------------- <img width="1067" alt="Screen Shot 2023-05-23 at 2 10 19 PM" src="https://github.com/brave/brave-browser/assets/387249/5bae62c5-8dff-47a8-add8-5031fac0d76b"> | <img width="1067" alt="Screen Shot 2023-05-23 at 2 10 30 PM" src="https://github.com/brave/brave-browser/assets/387249/29288271-88a4-4fc6-a905-4e24c0452a1d"> </details> <h3>Case 1: Subresource image test - <code>PASSED</code></h3> <details> ### `Allow` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/subresource.html` 2. confirmed I got the permission prompt 3. clicked `Allow` 5. opened `brave://settings/content/localhostAccess` 6. confirmed the site was listed under `Allowed to access localhost resources` ### Confirmed `logo.png` rendered permission dialog | `Allow`ed | `brave://settings/content/localhostAccess` ------------------|------------|------------------------------------------ <img width="1067" alt="Screen Shot 2023-05-23 at 2 11 59 PM" src="https://github.com/brave/brave-browser/assets/387249/e4645125-4e49-4baa-9522-48515bc04896"> | <img width="1067" alt="Screen Shot 2023-05-23 at 2 12 07 PM" src="https://github.com/brave/brave-browser/assets/387249/c90edf53-9ea0-40ab-bf20-9eaa55aa83e5"> | <img width="1233" alt="Screen Shot 2023-05-23 at 2 12 45 PM" src="https://github.com/brave/brave-browser/assets/387249/1dffe7a7-8ba3-4972-ab4a-cc9d06f95fcf"> ### `Block` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/subresource.html` 2. confirmed I got the permission prompt 3. clicked `Block` 4. opened `brave://settings/content/localhostAccess` 5. confirmed the site was listed under `Not allowed to access localhost resources` ### Confirmed `logo.png` was blocked, and a broken-image icon displayed `Block`ed | `brave://settings/content/localhostAccess` -----------|------------------------------------------- <img width="1233" alt="Screen Shot 2023-05-23 at 2 15 14 PM" src="https://github.com/brave/brave-browser/assets/387249/1e840f4b-d6a5-4e6c-a696-94d22e042f1c"> | <img width="1233" alt="Screen Shot 2023-05-23 at 2 15 22 PM" src="https://github.com/brave/brave-browser/assets/387249/85a58098-0b85-4087-aa5b-461df02815f2"> </details> <h3>Case 2: Service worker test - <code>PASSED</code></h3> <details> ### `Allow` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/sw.html` 2. clicked `Allow` 3. opened `brave://settings/content/localhostAccess` 4. confirmed the site was listed under `Allowed to access localhost resources` ### Confirmed `logo.png` rendered permission dialog | `Allow`ed | `brave://settings/content/localhostAccess` ------------------|------------|------------------------------------------ <img width="1233" alt="Screen Shot 2023-05-23 at 2 17 52 PM" src="https://github.com/brave/brave-browser/assets/387249/f6531909-6b64-4c0c-8c7a-697b9928391e"> | <img width="1233" alt="Screen Shot 2023-05-23 at 2 18 01 PM" src="https://github.com/brave/brave-browser/assets/387249/99c1e290-201c-40bf-b492-eaaf899afac6"> | <img width="1233" alt="Screen Shot 2023-05-23 at 2 18 12 PM" src="https://github.com/brave/brave-browser/assets/387249/c4459e3e-7ab3-4e9d-b7b2-82dacfc36c57"> ### `Block` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/sw.html` 2. clicked `Block` 3. opened `brave://settings/content/localhostAccess` 4. confirmed the site was listed under `Not allowed to access localhost resources` ### Confirmed `logo.png` was blocked, and a broken-image icon displayed `Block`ed | `brave://settings/content/localhostAccess` -----------|------------------------------------------- <img width="1233" alt="Screen Shot 2023-05-23 at 2 19 16 PM" src="https://github.com/brave/brave-browser/assets/387249/3f671d86-d1f6-4baa-af23-d8d8b44b1d65"> | <img width="1233" alt="Screen Shot 2023-05-23 at 2 19 21 PM" src="https://github.com/brave/brave-browser/assets/387249/8fd456a3-d7c1-4956-b594-b8b2431508df"> </details> <h3>Case 3: Websockets test - <code>PASSED</code></h3> <details> Prerequisites: * installed `Node.js` * ran `npm install ws` * ran `node ws_server.js` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/` 2. clicked on `websockets test page` (`https://shivankaul.com/brave/localhost/ws_client.html`) 3. waited 5 seconds for the redirect to happen 4. opened the `Developer` console 5. confirmed message `ping from server` 6. confirmed message `pong from client` in my `node` terminal 7. loaded `brave://settings/content/localhostAccess` 8. confirmed site entry was added to `Allowed to access localhost resources` ### `Allow` permission dialog | `Allow`ed | `pong from client!` | `brave://settings/content/localhostAccess` ------------------|------------|--------------------|------------------------------------------ <img width="1351" alt="Screen Shot 2023-05-23 at 2 30 48 PM" src="https://github.com/brave/brave-browser/assets/387249/cf3f4ab4-2562-49a6-b1cc-3635d42c7022"> | <img width="1351" alt="Screen Shot 2023-05-23 at 2 31 22 PM" src="https://github.com/brave/brave-browser/assets/387249/0403a176-871f-49f1-843e-052a52f353e8"> | <img width="1351" alt="Screen Shot 2023-05-23 at 2 33 31 PM" src="https://github.com/brave/brave-browser/assets/387249/12d01533-8baf-4932-bb93-f479fb9818b4"> | <img width="1351" alt="Screen Shot 2023-05-23 at 2 31 40 PM" src="https://github.com/brave/brave-browser/assets/387249/668b14d6-5b0e-4d2e-bd19-bcd6fe90ac82"> ### `Block` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/` 2. clicked on `websockets test page` (`https://shivankaul.com/brave/localhost/ws_client.html`) 3. waited 5 seconds for the redirect to happen 4. opened the `Developer` console 5. clicked `Block` 6. opened `brave://settings/content/localhostAccess` 9. confirmed site entry was added to `Not allowed to access localhost resources` `Block`ed | `brave://settings/content/localhostAccess` -----------|------------------------------------------ <img width="1351" alt="Screen Shot 2023-05-23 at 2 36 08 PM" src="https://github.com/brave/brave-browser/assets/387249/19bef111-4563-4e44-8a60-c796f4aeff6d"> | <img width="1351" alt="Screen Shot 2023-05-23 at 2 36 21 PM" src="https://github.com/brave/brave-browser/assets/387249/50e5b923-8b95-42df-b955-16ba90d83674"> </details> <h3>Case 4: Request in <iframe> test - <code>PASSED</code></h3> <details> ### `Allow` (continued from `Shared Steps`) 1. load `https://shivankaul.com/brave/localhost/` 2. clicked on `request in iframe test page` (`https://shivankaul.com/brave/localhost/iframe.html`) 3. waited 5 seconds for the redirect to happen 4. clicked `Allow` 5. confirmed my `logo.png` image was loaded and rendered 6. (now a 5-second timer in the iframe kicks in, and replaces the image) 7. opened `brave://settings/content/localhostAccess` 8. confirmed site entry in `Allowed to access localhost resources` step 1-2 | step 4 | step 5 | step 6 | `brave://settings/content/localhostAccess` -----|-----|------|------|----- <img width="1351" alt="Screen Shot 2023-05-23 at 2 51 53 PM" src="https://github.com/brave/brave-browser/assets/387249/06350e71-7065-41b7-820e-5de5881fe2a6"> | <img width="1351" alt="Screen Shot 2023-05-23 at 2 42 50 PM" src="https://github.com/brave/brave-browser/assets/387249/8d2bb122-4b55-4aa7-a990-4d80b70b593d"> | <img width="1351" alt="Screen Shot 2023-05-23 at 2 42 59 PM" src="https://github.com/brave/brave-browser/assets/387249/a4cc4a4b-6951-4223-a385-62647d052c9a"> | <img width="1351" alt="Screen Shot 2023-05-23 at 2 44 20 PM" src="https://github.com/brave/brave-browser/assets/387249/01bfaa26-01e4-4c65-a058-7877ce5512ac"> | <img width="1351" alt="Screen Shot 2023-05-23 at 2 44 29 PM" src="https://github.com/brave/brave-browser/assets/387249/b336aa0e-486b-4b0c-bd6c-a235db6fc4ad"> ### `Block` (continued from `Shared Steps`) 1. loaded `https://shivankaul.com/brave/localhost/` 2. clicked on request in iframe test page (`https://shivankaul.com/brave/localhost/iframe.html`) 3. waited 5 seconds for the redirect to happen 4. clicked `Block` 7. waited 8. opened `brave://settings/content/localhostAccess` 9. confirmed site entry in `Not allowed to access localhost resources` ### Confirmed `logo.png` did not load nor render step 1-2 | step 4 | step 5 | `brave://settings/content/localhostAccess` ---------|------|---------|------------------------------------------- <img width="1351" alt="Screen Shot 2023-05-23 at 2 51 53 PM" src="https://github.com/brave/brave-browser/assets/387249/06350e71-7065-41b7-820e-5de5881fe2a6"> | <img width="1351" alt="Screen Shot 2023-05-23 at 2 50 53 PM" src="https://github.com/brave/brave-browser/assets/387249/f70b8770-d378-4d23-85dc-331e3ed3fd7a"> | <img width="1351" alt="Screen Shot 2023-05-23 at 2 51 00 PM" src="https://github.com/brave/brave-browser/assets/387249/5539c8dd-3e05-43ee-8fac-f95986b3b754"> | <img width="1351" alt="Screen Shot 2023-05-23 at 2 51 04 PM" src="https://github.com/brave/brave-browser/assets/387249/b0de0b18-ccfd-4e6f-90f8-fd45c7c76b46"> </details> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ego-lay-atman-bay"><img src="https://avatars.githubusercontent.com/u/70973578?v=4" />ego-lay-atman-bay</a> commented <strong> 11 months ago</strong> </div> <div class="markdown-body"> <p>I am having an issue with websites not being able to make localhost requests. The current situation I'm in is that I'm uploading to youtube from my terminal, but in order to do that, I need oauth2 consent screen, which sends the callback to <code>https://localhost:8080/oauth2callback</code>. Every time I try to allow access to my account, it says something went wrong because it can't send to my localhost server that I need. I had to open google chrome just to get this to work, which I don't like.</p> <p>I really like the idea of having a prompt whenever a website first tries to send a request to localhost, and it would be like asking for mic/camera access. This way, as a developer, I can let websites request to localhost whenever I need. Of course there would be an option in the settings to always not allow, prompt the user, or always allow. I think that would be better than just blocking them all the time, and not even warning the user (heck, even the console didn't even say localhost was blocked).</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ShivanKaul"><img src="https://avatars.githubusercontent.com/u/5284154?v=4" />ShivanKaul</a> commented <strong> 11 months ago</strong> </div> <div class="markdown-body"> <blockquote> <p>The current situation I'm in is that I'm uploading to youtube from my terminal, but in order to do that, I need oauth2 consent screen, which sends the callback to <a href="https://localhost:8080/oauth2callback">https://localhost:8080/oauth2callback</a></p> </blockquote> <p>What's the website that tries to make the localhost connection? While we come up with something easier, you can selectively add the website to brave://settings/content/localhostAccess (<code>Allowed to access localhost resources</code>). Make sure you have the feature flag turned on (brave://flags/#brave-localhost-access-permission).</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ego-lay-atman-bay"><img src="https://avatars.githubusercontent.com/u/70973578?v=4" />ego-lay-atman-bay</a> commented <strong> 11 months ago</strong> </div> <div class="markdown-body"> <blockquote> <p>What's the website that tries to make the localhost connection?</p> </blockquote> <p>Google. I would think that you'd get that from me mentioning that I'm trying to upload to <strong>youtube</strong>, which uses google accounts for youtube channels.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ShivanKaul"><img src="https://avatars.githubusercontent.com/u/5284154?v=4" />ShivanKaul</a> commented <strong> 11 months ago</strong> </div> <div class="markdown-body"> <p>What matters is that the specific <a href="https://developer.chrome.com/docs/extensions/reference/api/contentSettings">content settings pattern</a> you specify on the content settings page matches the site making the call to the localhost URL, whether that's <a href="https://youtube.com">https://youtube.com</a> or a third-party or whatever. </p> <img width="1089" alt="image" src="https://github.com/brave/brave-browser/assets/5284154/59831078-e42f-41e3-9f58-59de13dd1cd1"> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ego-lay-atman-bay"><img src="https://avatars.githubusercontent.com/u/70973578?v=4" />ego-lay-atman-bay</a> commented <strong> 11 months ago</strong> </div> <div class="markdown-body"> <p>Ah, ok.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/banool"><img src="https://avatars.githubusercontent.com/u/7816187?v=4" />banool</a> commented <strong> 10 months ago</strong> </div> <div class="markdown-body"> <p>Using Brave version 1.61.104 I can't see any localhost related settings in brave://settings/content. I'd like to allowlist localhost access for certain sites, how do I do that? Do I just need to wait for a newer version of the browser to roll out?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ego-lay-atman-bay"><img src="https://avatars.githubusercontent.com/u/70973578?v=4" />ego-lay-atman-bay</a> commented <strong> 10 months ago</strong> </div> <div class="markdown-body"> <blockquote> <p>Using Brave version 1.61.104 I can't see any localhost related settings in brave://settings/content. I'd like to allowlist localhost access for certain sites, how do I do that? Do I just need to wait for a newer version of the browser to roll out?</p> </blockquote> <p>You have to first go to brave://flags/#brave-localhost-access-permission and enable it (then restart the browser).</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

brave / brave-browser

Permissioning access to localhost connections #27346