Using NoScript for fun, just to see how ridiculous effective the Brave shields are (for add blocking and limiting third-party exposure)

[LennyFox]

Hi,

What I like about brave is the option to increase the adblocking and tracking protection per domain. I normally run Brave with shield in Standard mode and increase it to Aggressive on selected websites. The only thing missing in Brave is an overview of what is allowed and blocked. I added NoScript so I can see which (sub) domains are not blocked.

By reducing what is blocked by default in NoScript, NoScript serves as on-demand reporter for Brave's effectiveness in limiting 3p-exposure. Brave only mentions the number of blocks (14 on CNN), but with NoScript running with more generous default setting, I can see what passes the Brave Shields. Most websites only show the bare minimum (below right).

 

[wat0114]

@LennyFox

so is NS in your setup blocking anything at all, or is it simply showing what Brave allows? I guess you could also enable NS' XSS protection or is it redundant with Brave?

EDIT

I guess the unchecked boxes in bottom left picture are what's being blocked in NS?

 

[LennyFox]

@LennyFox

so is NS in your setup blocking anything at all, or is it simply showing what Brave allows? I guess you could also enable NS' XSS protection or is it redundant with Brave?

EDIT

I guess the unchecked boxes in bottom left picture are what's being blocked in NS?

Yes, you got that right, NoScript it is only used for showing me how good Brave Shields are .

In daily practise the unselected options in NoScript DEFAULT settings (for 3P) probably don't block anything. I disabled them solely out of good hardening practise:
- OBJECT are obsolete plugins like flash or pdf
- WEBGL (mostly used for gaming, has its problems, that is why it is often disabled in Firefox advanced profiles, chromium browsers have its successor WebGPU build-in)
- PING (mostly used for tracking, so most people are better without it)
- UNRESTRICTED CSS (has its problems, remember the advanced CSS vulnability bypass in uBlockOrigin, most websites using third-party CSS will still work with unrestricted CSS disabled)
- LAN, Brave has an option to block access to host, Chromium browsers also have a flag to block insecure private IP requests, disabling LAN acces (link) adds some additional protection
- OTHER are seldomly used as third-party for home use and consumer applications

Thanks good tip: I always enable XSS-protection in NoScript. Although CSP reduces XSS risks (link), enabling this NoScript XSS-filtter seems to raise the bar for malware writers (link), but filters and interceptors have a limited use against XSS vulnabilities created by sloppy programming (see final quote link).

 

[Jan Willy]

Brave blocks 14 trackers on https://edition.cnn.com. When I visit that site Brave blocks 9 trackers (agressive mode). What's your secret?

 

[oldschool]

The only thing missing in Brave is an overview of what is allowed and blocked.

Well, there is some info if you click on the number of trackers and/or scripts blocked. It's kind of hard not to to like Brave's built-in protections.

 

[LennyFox]

Brave blocks 14 trackers on https://edition.cnn.com. When I visit that site Brave blocks 9 trackers (agressive mode). What's your secret?

Kees1958 most used Mv3 plus his addendum for Edge and Firefox and my user rules. I only use Brave Ads filter

 

[LennyFox]

Well, there is some info if you click on the number of trackers and/or scripts blocked. It's kind of hard not to to like Brave's built-in protections.

Thanks did not know that, will try later

 

[oldschool]

Brave blocks 14 trackers on https://edition.cnn.com. When I visit that site Brave blocks 9 trackers (agressive mode). What's your secret?

16 with Yokoffing's Privacy Essentials Filter List.

 

[LennyFox]

@wat0114 I checked advanced settings to make sure I had enabled XSS, to see it is not available anymore (maybe only on Chromium based browsers).

 

[LennyFox]

@oldschool and @Jan Willy sometimes one tracker initiates more third-party requests to other domains, So more trackers blocked does not always mean better blocking. Only when you add NoScript with same Default settings, you know for sure what really is your 3p-exposure

I am happy on CNN with only CNN.io NGTV.IO, Turner.com and WarnermediaCDN which are all four related to CNN

Oldschool,I looked at yokoffing list, but is has many allow exceptions, so I am sticking with Kees1958 two lists.

 

[wat0114]

16 with Yokoffing's Privacy Essentials Filter List.

I get "download Failed" when I try to import the list using this link:

https://github.com/yokoffing/filterlists/blob/main/privacy_essentials.txt

These ones imported no problem:

https://raw.githubusercontent.com/yokoffing/filterlists/main/annoyance_list.txt
https://raw.githubusercontent.com/yokoffing/filterlists/main/privacy_essentials.txt
https://raw.githubusercontent.com/yokoffing/filterlists/main/youtube_clear_view.txt

 

[LennyFox]

I get "download Failed" when I try to import the list using this link:

https://github.com/yokoffing/filterlists/blob/main/privacy_essentials.txt

These ones imported no problem:

https://raw.githubusercontent.com/yokoffing/filterlists/main/annoyance_list.txt
https://raw.githubusercontent.com/yokoffing/filterlists/main/privacy_essentials.txt
https://raw.githubusercontent.com/yokoffing/filterlists/main/youtube_clear_view.txt

Try this one

https://raw.githubusercontent.com/yokoffing/filterlists/main/privacy_essentials.txt

 

[wat0114]

Try this one

https://raw.githubusercontent.com/yokoffing/filterlists/main/privacy_essentials.txt

I just realized that's the second link that worked for me. Brave likes the raw list I guess

 

[Jan Willy]

sometimes one tracker initiates more third-party requests to other domains, So more trackers blocked does not always mean better blocking.

Nevertheless, with same settings and same filterrules the results don't differ. So it's irrelevant if a tracker initiates more requests.

 

[LennyFox]

I just realized that's the second link that worked for me. Brave likes the raw list I guess

Yes uBO is very tolerant, but most adblockers only accept raw version text files and require the [Adblock Plus xx] label

 

[oldschool]

I get "download Failed" when I try to import the list using this link:

I didn't post the raw text link.

 

[LennyFox]

Learned something today, thanks to @oldschool

Clicking on the number of blocks (12) shows what was blocked

 

[wat0114]

I didn't post the raw text link.

That's okay I figured it out eventually

 

[Alexai]

I've not read yet this thread, but I was just thinking to exclude brave from adGuard desktop protection and use brave shield...
But looking at this thread, seems a bad idea.

For me the problem is that Blink-browsers will not support uBlock Origin

 

[LennyFox]

I've not read yet this thread, but I was just thinking to exclude brave from adGuard desktop protection and use brave shield...
But looking at this thread, seems a bad idea.

For me the problem is that Blink-browsers will not support uBlock Origin

IMO uBO is redundant when using Brave shields (with Brave shields you can add filters and write your own).

Why do you need uBO, when you use AdGuard desktop? The AG extension is as good as uBO and will be Mv3 compliant!