Permissioning access to localhost connections

[ShivanKaul]

Similar to #26273, we'd like to add a new site permission called Localhost connections. There are several legitimate use-cases that involve the website asking for access to localhost e.g. a localhost-based websocket.

Currently we block all localhost connections via Adblock, but allowlist some in brave-specific.txt.

We will be able to safely add exceptions to the localhost-blocking adblock rules, once we have this. NOTE: we still want adblock rules to apply before applying this permission. After this permission is added to Brave, in order for a site to have access to localhost resources, it still needs to do 2 things:

1. It needs to be allowlisted in brave-specific.txt.
2. The user needs to click Allow in the permission prompt.

NOTE: we only permission/block requests based on the URL, not the resolved IP address. This will be addressed in a follow-up: #30038

Functionality:

1. Create new permission/content setting called Localhost Access.
2. Apply adblock filter rules as normal.
3. Detect if a request is from a valid non-localhost requesting origin for a subresource that looks like a localhost resource.
4. If current permission status is DENY, cancel the request (net:: ERR_ACCESS_DENIED).
5. If current permission status is ALLOW, allow the request (net::OK).
6. If current permission status is ASK, cancel the request (net:: ERR_ACCESS_DENIED), and show permission prompt.
7. If permission granted, reload the tab. Now the permission status will be ALLOW, and the user will not get re-prompted for localhost subresource requests.

[nacmonad]

Hi are there plans to implement this?

[ShivanKaul]

Working on a PR right now. If folks have test websites that don't currently work on Brave, please drop them here, would help a lot with smoke testing.

[CharlieGreenman]

@ShivanKaul if interested razroo.com x razroo vscode plugin(https://marketplace.visualstudio.com/items?itemName=Razroo.razroo-vscode-plugin) is a good example(will need to sign up/sign into razroo in order to use). We spin up a local server/localhost in the vscode plugin and pass information directly from web to local vscode plugin. It works on chrome, and edge, but not on brave for I believe this reason. If authentication works with vscode plugin, it means officially fixed.

[ShivanKaul]

Cool, that seems to work well on my local feature branch for this issue. This is the experience:

localhost-permission-razroo.mov

[CharlieGreenman]

cool that means it should be working as expected. Prior brave users were unable to authenticate. Thank you

[ShivanKaul]

Thanks for the use-case! Helps a lot. If others have ones too, that would help get this out faster because we'd be surer we're not breaking things.

[nacmonad]

Thanks for the use-case! Helps a lot. If others have ones too, that would help get this out faster because we'd be surer we're not breaking things.

Is there a dev branch I can check out? I am running into this issue presently, but the software is proprietary/beta...

[CharlieGreenman]

@nacmonad just to confirm is that question directed to me or @ShivanKaul

[CharlieGreenman]

🚀

[ShivanKaul]

This feature has been merged in for both Desktop and Android but is default-disabled while we work on a better way of shipping which websites should be allowed to request permission.

[CharlieGreenman]

@ShivanKaul why not allow users to decide that on their own?

[ShivanKaul]

There is a very real danger of port-scanning attacks to fingerprint users which is why we'd blocked localhost connections in the first place. We want to prevent those websites from being able to spam users with permission prompts, which has an additional danger of training users to say yes to dangerous actions that they may not understand the significance of while they're just trying to get work done in the browser (which is why Brave disables Filesystem API, for instance).

@CharlieGreenman the razroo auth use-case you brought up seems legitimate. We will add that to the initial list when we roll it out.

[CharlieGreenman]

Thank you. It goes without saying my thanks as always

[ShivanKaul]

We will be allowing only specific websites to ask for this permission.

[MicahZoltu]

I don't think that a permissioned/gatekept web is an appropriate solution for this. Even though I want this feature, I think permissioning it is a strictly worse solution than not having it at all because it allows large companies to create moats around their exclusive access to browser features and it reduces the impetus and pressure for the Brave team to find a solution that works for everyone.

As a user and a web/extension developer, Brave implementing a permissioned web in their browser is a huge turnoff for me. I generally like Brave's position on security, privacy, and censorship resistance, but if you all start permissioning/censoring the web it will result in massive negative marks in my internal browser scoring rubric.

[ShivanKaul]

Just to clarify, there will be a way for a user to override which websites get this permission by going to the permission setting page: brave://settings/content/localhostAccess. This is just how Chromium permissions work.

This is part of the enhancement we're exploring -- currently adblocking happens first, so requests are blocked before they get to the permissioning code, but we're working on changing that because we'd like to decouple localhost blocking from adblocking. Details TBD.

[ShivanKaul]

But there will be a default list of websites that can ask for this permission.

[MicahZoltu]

If users can add sites to the whitelist then I think that mitigates a lot of my concerns. I'm not a huge fan of having a built-in whitelist as it gives preferential treatment to "friends of Brave" (or people who can afford the registration costs, or people who KYC, or people who go through some bureaucratic process or whatever).

Will it be possible to have certain localhost resources made available to all websites? For example, if I am running a local Ethereum client or IPFS client, I would like any website to be able to probe for and access those. A website might first probe to see if I have IPFS running locally and if so use that (which I would prefer) then fallback to a central server (same for Ethereum client). I don't want to have to whitelist every website that wants to use these resources as they are intended to made available to web apps.

In this scenario, I would still be fine with getting a prompt "This website wants to access your Ethereum client: Allow, Deny", but I wouldn't want to have to add every single website to the whitelist by hand, and I also wouldn't necessarily want to give every website full unrestricted access to all localhost resources (only a couple that I have intended to make available as part of a suite of decentralized web tools).

[stephendonner]

Verification PASSED using

Brave	1.52.86 Chromium: 113.0.5672.77 (Official Build) beta (x86_64)
Revision	c4236862955e005c2187105415ac4a2ecf86dff1-refs/branch-heads/5672_62@{#3}
OS	macOS Version 13.4 (Build 22F5059b)

Prerequisites:

1. created a directory tests, at /Users/stephendonner/Desktop/tests
2. dropped a logo.png image into /tests
3. ran python3 -m http.server 8000 from /tests:

stephendonner@Stephens-MBP Desktop % cd tests
stephendonner@Stephens-MBP tests % python3 -m http.server 8000

Shared Steps:

1. installed 1.52.86
2. launched Brave
3. opened brave://flags
4. set brave://flags/#brave-localhost-access-permission to Enabled
5. clicked Relaunch
6. opened brave://adblock
7. scrolled to Create custom filters
8. entered @@||localhost^$domain=shivankaul.com
9. clicked Save changes
10. loaded https://shivankaul.com/brave/localhost/

brave://adblock	brave://flags

Case 1: Subresource image test - PASSED

Allow

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/subresource.html
2. confirmed I got the permission prompt
3. clicked Allow
4. opened brave://settings/content/localhostAccess
5. confirmed the site was listed under Allowed to access localhost resources

Confirmed logo.png rendered

permission dialog	Allowed	brave://settings/content/localhostAccess

Block

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/subresource.html
2. confirmed I got the permission prompt
3. clicked Block
4. opened brave://settings/content/localhostAccess
5. confirmed the site was listed under Not allowed to access localhost resources

Confirmed logo.png was blocked, and a broken-image icon displayed

Blocked	brave://settings/content/localhostAccess

Case 2: Service worker test - PASSED

Allow

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/sw.html
2. clicked Allow
3. opened brave://settings/content/localhostAccess
4. confirmed the site was listed under Allowed to access localhost resources

Confirmed logo.png rendered

permission dialog	Allowed	brave://settings/content/localhostAccess

Block

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/sw.html
2. clicked Block
3. opened brave://settings/content/localhostAccess
4. confirmed the site was listed under Not allowed to access localhost resources

Confirmed logo.png was blocked, and a broken-image icon displayed

Blocked	brave://settings/content/localhostAccess

Case 3: Websockets test - PASSED

Prerequisites:

• installed Node.js
• ran npm install ws
• ran node ws_server.js

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/
2. clicked on websockets test page (https://shivankaul.com/brave/localhost/ws_client.html)
3. waited 5 seconds for the redirect to happen
4. opened the Developer console
5. confirmed message ping from server
6. confirmed message pong from client in my node terminal
7. loaded brave://settings/content/localhostAccess
8. confirmed site entry was added to Allowed to access localhost resources

Allow

permission dialog	Allowed	pong from client!	brave://settings/content/localhostAccess

Block

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/
2. clicked on websockets test page (https://shivankaul.com/brave/localhost/ws_client.html)
3. waited 5 seconds for the redirect to happen
4. opened the Developer console
5. clicked Block
6. opened brave://settings/content/localhostAccess
7. confirmed site entry was added to Not allowed to access localhost resources

Blocked	brave://settings/content/localhostAccess

Case 4: Request in <iframe> test - PASSED

Allow

(continued from Shared Steps)

1. load https://shivankaul.com/brave/localhost/
2. clicked on request in iframe test page (https://shivankaul.com/brave/localhost/iframe.html)
3. waited 5 seconds for the redirect to happen
4. clicked Allow
5. confirmed my logo.png image was loaded and rendered
6. (now a 5-second timer in the iframe kicks in, and replaces the image)
7. opened brave://settings/content/localhostAccess
8. confirmed site entry in Allowed to access localhost resources

step 1-2	step 3	step 4	step 5	step 6	brave://settings/content/localhostAccess

Block

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/
2. clicked on request in iframe test page (https://shivankaul.com/brave/localhost/iframe.html)
3. waited 5 seconds for the redirect to happen
4. clicked Block
5. waited
6. opened brave://settings/content/localhostAccess
7. confirmed site entry in Not allowed to access localhost resources

Confirmed logo.png did not load nor render

step 1-2	step 4	step 5	brave://settings/content/localhostAccess

[ShivanKaul]

I'm not a huge fan of having a built-in whitelist as it gives preferential treatment to "friends of Brave" (or people who can afford the registration costs, or people who KYC, or people who go through some bureaucratic process or whatever).

I'm not sure what the point being made here is, but to give a closely-related example, Brave heavily contributes to adblock filter list development and maintenance and part of that work is figuring out what network requests are safe or otherwise in the interest of the user (across all adblockers, not just Brave), and which ones are not. We're going through open GitHub issues right now to collect use-cases we can now enable with this feature. We always offer a way for users to add their own lists/rules for adblock, and similarly here, we will offer a way for users to add which websites they consider safe to access localhost resources.

Will it be possible to have certain localhost resources made available to all websites?

Can you create a new issue for this? We can discuss it there.

[MicahZoltu]

I opened #30181 for discussing specific localhost resources being made globally available for permission requests.

I'm not sure what the point being made here is, but to give a closely-related example, Brave heavily contributes to adblock filter list development and maintenance and part of that work is figuring out what network requests are safe or otherwise in the interest of the user (across all adblockers, not just Brave), and which ones are not. We're going through open GitHub issues right now to collect use-cases we can now enable with this feature. We always offer a way for users to add their own lists/rules for adblock, and similarly here, we will offer a way for users to add which websites they consider safe to access localhost resources.

The broad point I think is that the failure mode of blacklists is quite different from the failure mode of whitelists. If Brave is unable to keep up with demand for adding things to a blacklist, then users are not protected as well but new websites aren't prevented from being able to do everything that existing websites do. If Brave is unable to keep up with demand for whitelist additions, then new websites will not be able to do everything that existing websites do.

IMO, this difference of failure modes is quite significant because a blacklist leaves the web open by default while a whitelist leaves the web closed by default. I believe that it is important that the web remain open and decentralized by default, with things like AdBlock adding exceptions to the "open by default" rule rather than the other way around.

[MadhaviSeelam]

Verification PASSED using

Brave | 1.52.91 Chromium: 113.0.5672.77 (Official Build) beta (64-bit)
-- | --
Revision | c4236862955e005c2187105415ac4a2ecf86dff1-refs/branch-heads/5672_62@{#3}
OS | Windows 11 Version 22H2 (Build 22621.1555)

Prerequisites:

1. created a directory tests, at /Users/mseelam/Documents/tests
2. dropped a logo.png image into /tests
3. ran python3 -m http.server 8000 from /tests:

C:\Users\mseel\Documents\tests>python3 -m http.server 8000
Serving HTTP on :: port 8000 (http://[::]:8000/) ...

Shared Steps:

1. installed 1.52.91
2. launched Brave
3. opened brave://flags
4. set #brave-localhost-access-permission to Enabled
5. clicked Relaunch
6. opened brave://adblock
7. scrolled to Create custom filters
8. entered @@||localhost^$domain=shivankaul.com
9. clicked Save changes
10. loaded https://shivankaul.com/brave/localhost/

brave://adblock	brave://flags

Case 1: Subresource image test - PASSED

Allow

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/subresource.html
2. confirmed I got the permission prompt
3. clicked Allow
4. opened brave://settings/content/localhostAccess
5. confirmed the site was listed under Allowed to access localhost resources
6. Localhost Access permissions show Allow under brave://settings/content/siteDetails?site=https%3A%2F%2Fshivankaul.com%3A443

Confirmed logo.png rendered

step 2	step 3	step 4	step 6

Block

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/subresource.html
2. confirmed I got the permission prompt
3. clicked Block
4. opened brave://settings/content/localhostAccess
5. confirmed the site was listed under Not allowed to access localhost resources
6. Localhost Access permissions show Block under brave://settings/content/siteDetails?site=https%3A%2F%2Fshivankaul.com%3A443

Confirmed logo.png was blocked, and a broken-image icon displayed

step 2	step 3	step 5	step 6

Case 2: Service worker test - PASSED

Allow

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/sw.html
2. clicked Allow on the Permission Prompt
3. opened brave://settings/content/localhostAccess
4. confirmed the site was listed under Allowed to access localhost resources
5. Localhost Access permissions show Allow under brave://settings/content/siteDetails?site=https%3A%2F%2Fshivankaul.com%3A443

Confirmed logo.png rendered

step 2	result	step 4	step 5

Block

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/sw.html
2. clicked Block
3. opened brave://settings/content/localhostAccess
4. confirmed the site was listed under Not allowed to access localhost resources

Confirmed logo.png was blocked, and a broken-image icon displayed with a new profile

Blocked	brave://settings/content/localhostAccess

Note: For existing profile, i.e from Allow case above (previous testcase) where I close the tab and reopen the page in a new tab, permission prompt is not shown. since the service worker persists, unregister the existing service worker in the Application tab of Dev console and reload the page to show the permission prompt

example	example

Case 3: Websockets test - PASSED

Prerequisites:

• installed Node.js
• ran npm install ws
• add js file to local directory (https://shivankaul.com/brave/localhost/ws_server.js)
• ran node ws_server.js

Allow

(continued from Shared Steps)

1. loaded np
2. clicked on websockets test page (https://shivankaul.com/brave/localhost/ws_client.html)
3. waited 5 seconds for the redirect to happen
4. opened the Developer console
5. confirmed message ping from server
6. confirmed message pong from client in my node terminal
7. loaded brave://settings/content/localhostAccess
8. confirmed site entry was added to Allowed to access localhost resources

permission dialog	Allowed	pong from client!	brave://settings/content/localhostAccess

Block

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/
2. clicked on websockets test page (https://shivankaul.com/brave/localhost/ws_client.html)
3. waited 5 seconds for the redirect to happen
4. opened the Developer console
5. clicked Block
6. opened brave://settings/content/localhostAccess
7. confirmed site entry was added to Not allowed to access localhost resources

permission dialog	Blocked	brave://settings/content/localhostAccess

Case 4: Request in <iframe> test - PASSED

Pre-requisites:
ran python3 -m http.server 8000 from /tests:

Allow

(continued from Shared Steps)

1. load https://shivankaul.com/brave/localhost/
2. clicked on request in iframe test page (https://shivankaul.com/brave/localhost/iframe.html)
3. waited 5 seconds for the redirect to happen
4. clicked Allow
5. confirmed my logo.png image was loaded and rendered
6. (now a 5-second timer in the iframe kicks in, and replaces the image)
7. opened brave://settings/content/localhostAccess
8. confirmed site entry in Allowed to access localhost resources
9. Image will not be replaced and existing on the page

step 1-2	step 3	step 4	step 5	step 6	brave://settings/content/localhostAccess

Block

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/
2. clicked on request in iframe test page (https://shivankaul.com/brave/localhost/iframe.html)
3. waited 5 seconds for the redirect to happen
4. clicked Block
5. waited
6. opened brave://settings/content/localhostAccess
7. confirmed site entry in Not allowed to access localhost resources

Confirmed logo.png did not load nor render

step 1-2	step 4	step 5	brave://settings/content/localhostAccess

[stephendonner]

Verification PASSED using

Brave	1.52.109 Chromium: 114.0.5735.26 (Official Build) beta (64-bit) 
Revision	7075cbb66f0542ac3e01ddfde6b813e7d61118a5-refs/branch-heads/5735@{#454}
OS	Linux

Prerequisites:

1. created a directory tests, at home/stephenedonner/tests
2. dropped a logo.png image into /tests
3. ran python3 -m http.server 8000 from /tests:

% cd tests
% python3 -m http.server 8000

Shared Steps:

1. installed 1.52.86
2. launched Brave
3. opened brave://flags
4. set brave://flags/#brave-localhost-access-permission to Enabled
5. clicked Relaunch
6. opened brave://adblock
7. scrolled to Create custom filters
8. entered @@||localhost^$domain=shivankaul.com
9. clicked Save changes
10. loaded https://shivankaul.com/brave/localhost/

brave://adblock	brave://flags

Case 1: Subresource image test - PASSED

Allow

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/subresource.html
2. confirmed I got the permission prompt
3. clicked Allow
4. opened brave://settings/content/localhostAccess
5. confirmed the site was listed under Allowed to access localhost resources

Confirmed logo.png rendered

permission dialog	Allowed	brave://settings/content/localhostAccess

Block

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/subresource.html
2. confirmed I got the permission prompt
3. clicked Block
4. opened brave://settings/content/localhostAccess
5. confirmed the site was listed under Not allowed to access localhost resources

Confirmed logo.png was blocked, and a broken-image icon displayed

Blocked	brave://settings/content/localhostAccess

Case 2: Service worker test - PASSED

Allow

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/sw.html
2. clicked Allow
3. opened brave://settings/content/localhostAccess
4. confirmed the site was listed under Allowed to access localhost resources

Confirmed logo.png rendered

permission dialog	Allowed	brave://settings/content/localhostAccess

Block

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/sw.html
2. clicked Block
3. opened brave://settings/content/localhostAccess
4. confirmed the site was listed under Not allowed to access localhost resources

Confirmed logo.png was blocked, and a broken-image icon displayed

Blocked	brave://settings/content/localhostAccess

Case 3: Websockets test - PASSED

Prerequisites:

• installed Node.js
• ran npm install ws
• ran node ws_server.js

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/
2. clicked on websockets test page (https://shivankaul.com/brave/localhost/ws_client.html)
3. waited 5 seconds for the redirect to happen
4. opened the Developer console
5. confirmed message ping from server
6. confirmed message pong from client in my node terminal
7. loaded brave://settings/content/localhostAccess
8. confirmed site entry was added to Allowed to access localhost resources

Allow

permission dialog	Allowed	pong from client!	brave://settings/content/localhostAccess

Block

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/
2. clicked on websockets test page (https://shivankaul.com/brave/localhost/ws_client.html)
3. waited 5 seconds for the redirect to happen
4. opened the Developer console
5. clicked Block
6. opened brave://settings/content/localhostAccess
7. confirmed site entry was added to Not allowed to access localhost resources

Blocked	brave://settings/content/localhostAccess

Case 4: Request in <iframe> test - PASSED

Allow

(continued from Shared Steps)

1. load https://shivankaul.com/brave/localhost/
2. clicked on request in iframe test page (https://shivankaul.com/brave/localhost/iframe.html)
3. waited 5 seconds for the redirect to happen
4. clicked Allow
5. confirmed my logo.png image was loaded and rendered
6. (now a 5-second timer in the iframe kicks in, and replaces the image)
7. opened brave://settings/content/localhostAccess
8. confirmed site entry in Allowed to access localhost resources

step 1-2	step 4	step 5	step 6	brave://settings/content/localhostAccess

Block

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/
2. clicked on request in iframe test page (https://shivankaul.com/brave/localhost/iframe.html)
3. waited 5 seconds for the redirect to happen
4. clicked Block
5. waited
6. opened brave://settings/content/localhostAccess
7. confirmed site entry in Not allowed to access localhost resources

Confirmed logo.png did not load nor render

step 1-2	step 4	step 5	brave://settings/content/localhostAccess

[ego-lay-atman-bay]

I am having an issue with websites not being able to make localhost requests. The current situation I'm in is that I'm uploading to youtube from my terminal, but in order to do that, I need oauth2 consent screen, which sends the callback to https://localhost:8080/oauth2callback. Every time I try to allow access to my account, it says something went wrong because it can't send to my localhost server that I need. I had to open google chrome just to get this to work, which I don't like.

I really like the idea of having a prompt whenever a website first tries to send a request to localhost, and it would be like asking for mic/camera access. This way, as a developer, I can let websites request to localhost whenever I need. Of course there would be an option in the settings to always not allow, prompt the user, or always allow. I think that would be better than just blocking them all the time, and not even warning the user (heck, even the console didn't even say localhost was blocked).

[ShivanKaul]

The current situation I'm in is that I'm uploading to youtube from my terminal, but in order to do that, I need oauth2 consent screen, which sends the callback to https://localhost:8080/oauth2callback

What's the website that tries to make the localhost connection? While we come up with something easier, you can selectively add the website to brave://settings/content/localhostAccess (Allowed to access localhost resources). Make sure you have the feature flag turned on (brave://flags/#brave-localhost-access-permission).

[ego-lay-atman-bay]

What's the website that tries to make the localhost connection?

Google. I would think that you'd get that from me mentioning that I'm trying to upload to youtube, which uses google accounts for youtube channels.

[ShivanKaul]

What matters is that the specific content settings pattern you specify on the content settings page matches the site making the call to the localhost URL, whether that's https://youtube.com or a third-party or whatever.

[ego-lay-atman-bay]

Ah, ok.

[banool]

Using Brave version 1.61.104 I can't see any localhost related settings in brave://settings/content. I'd like to allowlist localhost access for certain sites, how do I do that? Do I just need to wait for a newer version of the browser to roll out?

[ego-lay-atman-bay]

Using Brave version 1.61.104 I can't see any localhost related settings in brave://settings/content. I'd like to allowlist localhost access for certain sites, how do I do that? Do I just need to wait for a newer version of the browser to roll out?

You have to first go to brave://flags/#brave-localhost-access-permission and enable it (then restart the browser).