You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Brave for Desktop and Android is built on top of the open-source Chromium project. We add features on top of what is already there and we also remove features or pieces of the code. These deviations we make that touch the core Chromium code are done via patching.
The scope of this page is to cover Chromium functionality that is modified in some way. Brave Browser has its own features which are not covered by this document.
If you wanted to do an audit of the code, you would start with the brave-browser repository. Our wiki has instructions about what steps need to be done to perform a build after cloning the source.
Chromium source is fetched
The gclient utility (part of depot tools) will fetch the official Chromium source code. The tag that is fetched is captured in our package.json. For example, .config.projects.chrome.tag at the time of this writing is 116.0.5845.51. All of the source code from Chromium will be downloaded into the ./src/ folder.
Brave code is fetched
As part of the setup process, we also fetch our own code. The brave-core repository has the code that makes the browser Brave. The branch that should be checked out is also contained in that package.json. There is also a DEPS file in brave-core that pulls in sub-dependencies. For example, the omaha and sparkle dependencies are both used for product updates.
Hooks are run
After the gclient sync runs and fetches all the code (including brave-core), the hooks are run. One of the hooks that runs applies the patches (which you can see here) that are contained in brave-core. If you'd like to know more details about HOW the patching works, you can take a peek at our patching wiki page.
What Chromium features are removed for privacy/security reasons?
Cookies are given a maximum lifetime of 7 days for cookies set through Javascript and 6 months for cookies set through HTTP
Session Cookies are cleaned up on restart if "Continue where you left off" mode is enabled (which is default in Brave).
Referrer values are capped to strict-origin-when-cross-origin and can only be tightened by referrer policy, not weakened. In addition, cross-origin requests from a .onion service have an empty Referer header and a nullOrigin header just like the Tor Browser.
Media Router (Chromecast) is disabled by default on Desktop. You can turn it on by toggling the switch in brave://settings.
Some of the above (along with other issues) were previously tracked in #13.
You may notice some requests to Google domains. Some of these, such as clients*.google.com and update.googleapis.com are needed to check for extension updates if you installed extensions.
ungoogled-chromium is Google Chromium, sans integration with Google. It also features some tweaks to enhance privacy, control, and transparency (almost all of which require manual activation or enabling).
We have an issue captured for pulling in relevant patches from the ungoogled-chromium project. The ungoogled-chromium project similarly has an issue captured where they mention pulling in patches from Brave.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There are no files selected for viewing
NOTE: this page is a work in progress! It should by no means be considered a "final" or exhaustive list of things we have removed.
Brave for Desktop and Android is built on top of the open-source Chromium project. We add features on top of what is already there and we also remove features or pieces of the code. These deviations we make that touch the core Chromium code are done via patching.
The scope of this page is to cover Chromium functionality that is modified in some way. Brave Browser has its own features which are not covered by this document.
Chromium is not the same as Google Chrome. For some differences, see https://chromium.googlesource.com/chromium/src/+/master/docs/chromium_browser_vs_google_chrome.md.
How it works
If you wanted to do an audit of the code, you would start with the
brave-browser
repository. Our wiki has instructions about what steps need to be done to perform a build after cloning the source.Chromium source is fetched
The gclient utility (part of depot tools) will fetch the official Chromium source code. The tag that is fetched is captured in our package.json. For example,
.config.projects.chrome.tag
at the time of this writing is116.0.5845.51
. All of the source code from Chromium will be downloaded into the./src/
folder.Brave code is fetched
As part of the setup process, we also fetch our own code. The
brave-core
repository has the code that makes the browser Brave. The branch that should be checked out is also contained in that package.json. There is also aDEPS
file inbrave-core
that pulls in sub-dependencies. For example, theomaha
andsparkle
dependencies are both used for product updates.Hooks are run
After the gclient sync runs and fetches all the code (including
brave-core
), the hooks are run. One of the hooks that runs applies the patches (which you can see here) that are contained inbrave-core
. If you'd like to know more details about HOW the patching works, you can take a peek at our patching wiki page.What Chromium features are removed for privacy/security reasons?
Services & Features We Disable Entirely
ping
attribute is disableddisabled_features
)Services We Proxy Through Brave Servers
Google does not receive any information about which client is performing these requests (not even your IP address).
Proxied endpoints
https://dl.google.com/release2/chrome_component/*crl-set*
https://*.gvt1.com/edgedl/release2/chrome_component/*
https://*.gvt1.com/edgedl/chrome/dict/*.bdic
https://storage.googleapis.com/update-delta/hfnkpimlhhgieaddgfemjhofmfblmnib/.+crxd
https://safebrowsing.googleapis.com/
https://sb-ssl.google.com/
https://safebrowsing.google.com
https://ssl.gstatic.com
https://gstatic.com
https://update.googleapis.com
https://chrome-devtools-frontend.appspot.com
https://clients2.googleusercontent.com
https://clients2.google.com
https://clients4.google.com
https://chrome-devtools-frontend.appspot.com
https://accounts.google.com
https://*.infura.io
https://*.gvt1.com/edgel/chromewebstore/*/*
https://*.gvt1.com/edgedl/release2/*/*
http://dl.google.com/release2/*/*
Modified Features and Functionality
strict-origin-when-cross-origin
and can only be tightened by referrer policy, not weakened. In addition, cross-origin requests from a.onion
service have an emptyReferer
header and anull
Origin
header just like the Tor Browser.Comments
Some of the above (along with other issues) were previously tracked in #13.
You may notice some requests to Google domains. Some of these, such as
clients*.google.com
andupdate.googleapis.com
are needed to check for extension updates if you installed extensions.How does Brave compare to
ungoogled-chromium
?Description of
ungoogled-chromium
, per their GitHub page:We have an issue captured for pulling in relevant patches from the
ungoogled-chromium
project. Theungoogled-chromium
project similarly has an issue captured where they mention pulling in patches from Brave.