Brave

The Brave team has announced that the privacy-centric browser will soon introduce new restriction controls allowing users to specify how long sites can access local network resources.

Locally hosted resources can include images or files needed or used by web programs on your device. Other local resources could include access to devices on your network, such as NAS instances, locally hosted servers, shared network printer files, shared network device/computer data, etc.

It is common for websites and local web apps to request access to local resources to fingerprint users or collect information about what software runs on a user’s machine.

“Surprising though it may be, most browsers allow websites to access these local resources just as easily as they can access other resources on the web,” explains Brave.

This practice has been documented since at least 2020 on websites such as eBay, Citibank, Chick-fil-A, and many more as part of an anti-fraud script used on the associated sites.

Ebay portscanning users in the past
Ebay portscanning users in the past
Source: StackExchange

Brave says all major modern browsers, including Chrome and Firefox, allow websites to request access to local resources and use them without restriction.

Safari blocks these requests even when they come from secure public websites as a side-effect of its security measures rather than a specific design decision to stop this dangerous practice.

Brave is introducing a localhost access permission to tackle this problem while still permitting sites they trust to access local resources for a limited time.

New localhost resources permission prompt
New localhost resources permission prompt
Source: Brave

“Brave is the only browser that will block requests to localhost resources from both secure and insecure public sites, while still maintaining a compatibility path for sites that users trust,” pledges the Brave team.

“Starting in version 1.54 (current is v1.52), Brave for desktop and Android will include more powerful features for controlling which sites can access local network resources, and for how long.”

By default, no sites will be granted permission to access localhost resources, so users can give it manually by going to “brave://settings/content/localhostAccess” on the desktop or “Settings > Site settings > Localhost Access” on Android.

Besides this new permission mechanism, Brave will use filter list rules to block scripts and sites that abuse localhost access.

At the same time, Brave will maintain and update an allow-list of trusted sites that will be allowed to prompt users to permit them to access local network resources upon their first visit.

Requests to localhost resources from a localhost context will still be allowed to pass through without requiring special permissions.

Source: www.bleepingcomputer.com