Support strict-blocking
Closed this issue · 3 comments
https://github.com/gorhill/uBlock/wiki/Strict-blocking
Currently Brave does not block access to a site even if a rule with $document or $all is there. This halves the value of uBlock filters - badware built into Brave. Brave should block the access to the site and show a warning page at least if the site's URL matches to any rules with $document or $all. Whether to extend this to pure host rules ||example.com^ like uBO may be arguable.
@Yuki2718 You need go to brave://settings/shields and set the Trackers & ads blocking to Aggressive, if not, the page will not show the blocked / display the warning screen.
By default Brave has it set to Standard, which means you will have to set all pages to aggressive globally or individually for it to work.
Standard vs Aggressive:
- Aggressive = 1p and 3p like uBlock or any normal Adblocker would do it.
- Standard = the adblocker is only meant to do 3p filtering.
Note: this Standard/3p-only system is only applied to Default lists, custom lists/rules don't strictly follow that.
For example:
||example.com^ as a default list rule, will only be applied in Aggressive, that means, nothing 1p will get blocked or show blocked site warning.
||example.com^ As a custom filter, the adblocker will do 1p filtering regardless of Standard or Aggressive mode.
However, the warning screen is only applied in Aggressive mode for any rule or list, so in that case, it follows the 1p vs 3p rule from the Aggressive vs Standard mode.
$all is not supported in Brave, something they are tracking here #1 so the rules get ignored.
But once Brave adblocker is set to Aggressive, Brave will behave exactly(?) like uBlock:
||example.com^will show the warning message, no connection is made to the site and if you proceed all 1p network connections from the page will be blocked.||example.com^$document/$docwill only show the warning screen, no connection is made to the site, and if you proceed, the adblocker will only block whatever was meant to be blocked by other rules.
and if you check the Don't warn me about this site again, the rule @@||example.com^ will be added to brave://adblock custom rules.
Thanks for the comprehensive answer @Emi-TheDhamphirInLoveUnderTheFrozenStar! Only thing I'd add is that you can globally configure Aggressive mode in Brave using the settings at brave://settings/shields.
I'll close this for now but @Yuki2718 please feel free to followup if it's not working correctly for you.
TL; DR:
@@||example.com^should be@@||example.com^$document- Hide search ads by default and apply strict-blocking for rules with
$documentby default - The current message on the blocking page should be adjusted.
Okay confirmed; however, @@||example.com^ can allow too much, it should be @@||example.com^$document. BTW I guess I understand Brave's vision including 1p vs. 3p; however, I suggest to make an exception to the rule or to add another level between Standard and Aggressive that blocks malicious ads/sites (and preferably default to it). In particular, search ads should be blocked because they have been the very source of scam and malware:
https://twitter.com/malwrhunterteam/status/1617893189402386433
https://www.bleepingcomputer.com/news/security/hackers-push-malware-via-google-search-ads-for-vlc-7-zip-ccleaner/
https://twitter.com/Unit42_Intel/status/1617672614792642560
https://twitter.com/OBSProject/status/1615033901809913856
https://twitter.com/BornatoBtw/status/1616412352596918273
[Brave itself is a target!] https://twitter.com/TxDigiPro/status/1590879928949821441
https://www.tweaktown.com/news/90033/google-serves-up-malware-for-user-looking-to-update-their-amd-graphics-drivers/index.html
https://www.bleepingcomputer.com/news/security/google-ad-for-gimporg-served-info-stealing-malware-via-lookalike-site/
So even FBI recommneds to use adblocker, but Brave users are not protected unless they set to Aggressive - I actually checked some of them in real-time and can say Safe Browsing is almost helpless. Neither is for malicious sites we uBO filter team add to the badware list daily, and we add rules assuming strict-blocking. Applying only rules with $document ($all should be decomplied to $document + the rest) does not block 1p ads so I suggest this, which also minimizes possible trouble by strict-blocking often caused by Peter Lowe's list.
Oh, and the current message on the blocking page assumes the blockage is due to tracking, this is inaccurate in case of bad sites.