In section 3.2.2 they mention being able to handle obfuscated/minified scripts, but based on the description it doesn't look very robust. Any sort of anti-debug/tampering would break this, eg. storing the value of window.localstorage somewhere, then comparing it against the value of window.localstorage when you try to access it. If the values differ, there's probably some debugging/tampering going on, and the site can hold the content hostage and demand you turn off the protections. I'm not sure why they don't just patch the javascript runtime environment (ie. the implementation of window.localstorage itself). That would be much more robust and harder to detect. Plus, you don't have to mess around with rewriting scripts.
Here is Brave’s announcement with technical details:<p><a href="https://brave.com/privacy-updates/12-sugarcoat/" rel="nofollow">https://brave.com/privacy-updates/12-sugarcoat/</a><p>The actual paper:<p><a href="https://brave.com/wp-content/uploads/2021/06/sugarcoat-ccs-2021.pdf" rel="nofollow">https://brave.com/wp-content/uploads/2021/06/sugarcoat-ccs-2...</a>
I’d really love to see this in Firefox, even though I already use uBlock Origin, Privacy Badger and Container Tabs. Even if this is added, I’d still not give up on these extensions.<p>Though Brave has been involved in (controversial?) work that’s tangential or unrelated from the core web, such as a substitute for advertising based income for sites, a crypto wallet, etc., I do admire the relentless focus on creating features that help and protect users. It also seems to have a higher velocity of feature releases, perhaps because it can still rely a lot on the open source Chromium project (which it customizes) as opposed to the Firefox team that has to maintain and improve Gecko/Servo as well as handle end user facing features.
I actually don't care that much when sites break because of my ad blockers. If sites require my ad blockers disabled to work correctly, these sites are what is broken in the first place.
I really like the sound of this but I don't trust Brave. I used Brave on iPhone as soon as it came out, always in private mode so as to not save any history or open tabs. A while back, after an update, I opened the app and it immediately opened dozens and dozens of tabs, all of which I recognized as being tabs I had opened in the past. It almost seemed be opening pages back to when I first used the app. I obviously left a complaint in the reviews. The developers quickly pushed another update but never addressed how or why this was even possible.
hm. interesting. could be an interesting feature for the mozilla vpn. rather than just redirecting all traffic to a clean pipe, redirect it into a special networking environment where tracking endpoints are mocked up to be benign.<p>even better would be if users could also analyze their own traffic, block suspicious things and contribute to the mock environment for firewalling personal data.<p>maybe the future of firewalls will be more about keeping user data in, rather than keeping malicious actors out...
Alright - so if the example they provide illustrates the jist of their approach, it's essentially "sandboxing" the scripts so that calls to localstorage succeed but are then effectively non-persistent.<p>Can scripts be written to bypass such sandboxing?
> SugarCoat replaces these scripts with scripts that have the same properties, minus the privacy-harming features<p>Depending on the scope of these replacement scripts, this may run into API patent & copyright issues. Additionally, the trackers can simply start using different tracker script URLs to avoid this type of implementation.<p>A better solution is to allow these scripts to load (without cookies) and patch all of their actual network emissions and storage access to follow consent rules.
I block a bunch of trackers both via uBlock, NoScript, and NextDNS. I don't notice much breakage; I'm not sure what this tool is trying to solve.
Brave browser combined with Sugarcoat, I wonder how this combination will turn out. Also, it would be great if Sugarcoat could be integrated with other browsers that don't want to jump the Brave train.