Another "privacy-based browser" bites the dust!
This afternoon, users posted to Y Combinator’s Hacker News that the protection in Brave browser does not block tracking scripts from hostnames associated with Facebook and Twitter. This is shown by the source code for the tracking_protection_service.h file that contains a comment informing that a tracking protection white_list variable was created as a “Temporary hack which matches both browser-laptop and Android code”.
The list of whitelisted hostnames are: connect.facebook.net connect.facebook.com staticxx.facebook.com www.facebook.com scontent.xx.fbcdn.net pbs.twimg.com scontent-sjc2-1.xx.fbcdn.net platform.twitter.com syndication.twitter.com cdn.syndication.twimg.com
Look how they justify themselves: (from https://brave.com/script-blocking-exceptions-update/) - (archive)
Brave aims to maintain a working Web, while reducing or eliminating the invasive tracking that has become so ubiquitous online.
So which one is the priority? Since your site claims it's the privacy...
For example, Facebook and Twitter both contain widgets which web authors can integrate into their online properties. These widgets aim to make it easier for users and publishers to connect by allowing users to authenticate through Facebook or Twitter, rather than creating and maintaining an account with the publisher themselves. The exception list covered by several news outlets allows both of these widget sets to operate on a leash. They can load, but they cannot access local data on the client so as to track the user.
Who gives a shit whether they can access local data? You've now associated your browsing history with your Facebook and Twitter accounts - and you worry about some local data?! There's no worse tracking than the one attached to your name!
For many publisher implementations, blocking the script request would break Facebook-based OAUTH and Facebook likes and shares.
Yes, of course blocking Facebook tracking would mean you can't authenticate through it. And by whitelisting it, Brave choose a working web
over the privacy of its users - proving they, like Mozilla, are just another malicious agent pretending otherwise.