The Brave Browser promotes itself on being built from the ground up to provide enhanced privacy to its users. Yet, users voiced concern today after finding a section of the browser's source code that shows tracking scripts for Facebook and Twitter are whitelisted so that they are not blocked by the browser.

According to the Brave Browser's feature list, unwanted trackers and ads will be blocked by the browser.

Brave Tracking Protection Feature Description

This afternoon, users posted to Y Combinator's Hacker News that the protection in Brave browser does not block tracking scripts from hostnames associated with Facebook and Twitter

This is shown by the source code for the tracking_protection_service.h file that contains a comment informing that a tracking protection white_list variable was created as a "Temporary hack which matches both browser-laptop and Android code".

Whitelist variable

This whitelist variable is associated with code in the tracking_protection_service.cc file that adds various Facebook and Twitter hostnames to the whitelist variable so that they are not blocked by Brave's Tracking Protection feature.

Whitelisted hostnames

The list of whitelisted hostnames are:

connect.facebook.net connect.facebook.com staticxx.facebook.com www.facebook.com scontent.xx.fbcdn.net pbs.twimg.com scontent-sjc2-1.xx.fbcdn.net platform.twitter.com syndication.twitter.com cdn.syndication.twimg.com hostnames

According to a Brave Browser issue that was opened on September 8th, 2018, the developers decided to whitelist tracking scripts from Facebook and Twitter because blocking them would affect the functionality of many sites. One of the Facebook features that would be broken includes Facebook logins.

Bug Issue

The code to whitelist Facebook's hostnames was added over 3 years ago according to this commit and currently only has a priority rating of P5 on Brave's list of open issues.

According to some users at Y Combinator, it is a strange tactic for a privacy-oriented browser to whitelist Facebook.com, which could be the most well known abuser of user's privacy and data, and not resolve it quicker.

Comment from Y Combinator's Hacker News

BleepingComputer has reached out to Brave for comment, but had not heard back at the time of this publication. This article will be updated when a response is received.

Update 2/12/19: Brave has published a blog post in response stating that tracking is still blocked even though these hostnames are whitelisted.

Firefox does it differently

Firefox also states that its tracking protection feature called Content Blocking can cause sites to break. For this reason, they provide different levels of tracking protection to allow users to decide how strict the browser should be when blockin tracking scripts.

Firefox Content Blocking

In Firefox, the default setting is Standard that allows trackers whose blocking would break their associated sites. For users who want stricter tracking protection and do not care if sites will break, they can select the Strict or Custom settings that offer more tracking protection.