Implement Custom Website Redirects

[DEFCON001]

Brave iOS contains a "Website Redirects" tab in settings, however it only contains two redirects; "reddit.com" -> "old.reddit.com", and "npr.org" -> "text.npr.org". This is awesome, but it would be great if users could add custom redirects. I currently have a bunch of iOS shortcuts I made myself to manually manipulate url domains before opening brave with the new link, but its very cumbersome, messy, slow, and dependent on the Apple shortcuts app.

Implementation Details

The UI could be implemented similar to the "Custom-Search Engines" UI, and show the logos rendered from The "redirected to site" (so you don't need to render the logos of sites you don't want to access), and a "Add Custom Website Redirect" option at the bottom. Each Redirect box should have the name "domain to redirect -> domain redirected to", and be simply deleted by swiping it (same way it works in the search engines UI). However also adding a seperate settings tab and toggle options to temporally disable and enable specific redirects might be useful to users for things like diagnosing issues (like in the "Quick Search Engines" UI), this would also allow for you to add the current old reddit and npr redirects disabled by default (please allow the user to delete them if they want, as they may contribute to clutter for some users, this is an issue with the Quick Search Engine UI, but the project needs to keep them there, so it makes sense in that specific implementation). (Custom-Search Engines UI):

(Quick Search Engines UI):

The Actual UI for adding a new redirect could be like the "Add Custom Search Engine" tab, having a "Domain to redirect" and "Domain to redirect to" boxes, and a description of any of the specific syntax required in the redirects.

(Add Search Engine UI):

Additional information

• It is important the the redirect back end is capable of linking multiple links to the same domain, as things like "m.youtube.com" and "youtube.com are seperate but may need to be redirected to the same domain.
• It is important that the back end redirects the whole domain, not just a match, so that "youtube" -> "example.com" will not turn "m.youtube.com" into "m.example.com". This is an issue when the user also wants to redirect "m.youtube.com" to "example.com" because if the example site does not have a mobile version, and will instead throw an error.
• It is important the user (or a malicious actor) cannot produce a looped domain redirect in order to cause a denial of service attack for the local application. This would happen for example if these two rules existed, and the user had "reddit.com" or "old.reddit.com" as a homepage when the browser launches:

"reddit.com" -> "old.reddit.com" "old.reddit.com" -> "reddit.com"

Depending on how the backend logic works and if the app is running on a single thread, this may cause an infinite loop that could crash the program every time it is launched, so this behaviour should be tested.

Three ways to defend against such behaviour are:

1. Rerouting behaviour: Allow only one domain change (this may already be how the change is implemented, but if there is a bug discovered to allow multiple redirects, it could be used maliciously)
2. Prompting user in setup behaviour: Do not allow any of the "Redirect from" categories to be added as a "Redirect to" category (this includes when importing a new category so "youtube.com" -> "youtube.com" should not be allowed either in this implementation), this is better as it will alert the user to mistakes while they are trying to set it up.
3. The hard way behaviour: somehow implement some loop sensing logic that can detect loops in the redirect structure, this would be best as it alerts the user, without removing the user's ability to make complex multi redirect trees. For example: "youtube.com" -> "placeholder_domain", "m.youtube.com" -> "placeholder_domain" "placeholder_domain" -> "final_location" You can use the placeholder_domain like a pointer, this is useful for redirecting to services like invidious when the instance dies, rather than changing every single different type of domain manually to the new instance you just change where the placeholder domain points.

Future/Further Implementation Details

• It would also be nice to be able to re-route embedded site information, this done by programs like "libredirect" which is able to redirect embedded youtube videos to privacy respecting alternatives like piped, which are also capable of embedding youtube videos. However this may be more complex if you are applying these redirects to only user visited sites, rather than all browser fetched content.

• Implementing an import/export system for redirects could allow users to produce and share the redirect lists that they produce, however extensive protections should be put in place so malicious lists cannot be produced to cause the issues described above. If the system only checks for redirect loops when the user manually imports them, imported scripts could be used to cause local denial of service attacks to the browser. They could also be used for phishing attacks, so some sort of scanning for local on device blacklisted domains (in brave's local block lists for example), could be an additional protection, without having to query an external server.

[iccub]

Thanks for the feedback, we plan to have it but the work is not scheduled yet.

In the existing implementation each website redirection has two rules we then use to decide whether we redirect or not

• A list of domains and subdomains to redirect to, like [m.reddit.com, i.reddit.com], in the custom implementation I would prefer the user to enter all subdomains manually. Maybe we could consider a wildcard option to grab them all.
• A list of domains we do not redirect to, like [new.reddit.com] this allows you to bypass the redirection without any UI or toggles. Downside is that not many websites are going to have such domain

For the looped domains as long as every rule is added locally, not a problem imo. But as you said, there should be a way to detect such conflicting rules.

Rule sharing is unlikely, it's not popular feature enough. Rule import/export more likely

[distbit0]

This feature would be extremely useful. Would probably use it >10 times per day for teddit, twitter and youtube redirects.

I however use droid, so this is probably the wrong repository for me to be commenting in.

[iccub]

I'll see what can be done in Q4 :)

[DEFCON001]

This feature would be extremely useful. Would probably use it >10 times per day for teddit, twitter and youtube redirects.

I however use droid, so this is probably the wrong repository for me to be commenting in.

This exists on android: https://fedilab.app/wiki/untrackme/ and this: https://mike.sg/2022/07/10/how-to-use-libredirect-on-android/

Hopefully that can help as a short term solution 😃

Its a bigger issue in iOS because the only way to get similar functionality in iOS is to use safari with the paid privacy redirect extension, and safari is proprietary, so I'd rather not have to use it.

[distbit0]

Yeah I used to use privacy redirect on droid @DEFCON001 but had to delete it recently due to it being too buggy, unmaintained and resulting in a very poor ux. Some problems at that it crashes for me when I select a default app for opening certain links, it results in a pop up menu appearing every time I click on most links (super annoying), it opens a new tab for the redirected url rather than redirecting it in the same tab, among many other things.

This is one of the primary reasons I am interested in brave adding this feature:) Privacy redirect is not a viable solution ATM imo.

[davidcollini]

@distbit0 you should try using

https://github.com/libredirect/libredirect

It's an actively maintained fork of privacy redirect and it has more services

It works on android too

[distbit0]

@IronMaltese All I can see are the (desktop) chrome/firefox extensions on their downloads page: https://libredirect.github.io/download.html

How do you suggest one would use this in android? I do use libredirect for brave desktop already, and agree it is better maintained than privacy redirect.

Also btw I just realised that I meant to refer to untrackme above, which is an android app. I had confused it with privacy redirect, which is a chrome extension.

I have never used either libredirect or privacy redirect on android. I did not think it was possible to do so except via browsers such as firefox and kiwi which support extensions on mobile.

[davidcollini]

@distbit0 i thought you were using a browser that supports extensions, you're right about everything else

[bigc0127]

This feature would also in theory allow me to redirect iOS spotlight search queries to my search engine of choice.

google.com > search.brave.com

[specter78]

Any update on when this feature will be implemented?