Brave從Chromium引擎中刪除哪些內容? 追蹤
(請注意,此頁面正在進行中,可能會經常更新)
Brave for desktop is built on top of the open-source Chromium project. 我們在現有基礎上添加功能,也會刪除功能或部分代碼。 這些觸及核心Chromium代碼的偏差是通過補丁實現的。
Chromium與Google Chrome不同。 For some differences, see https://chromium.googlesource.com/chromium/src/+/master/docs/chromium_browser_vs_google_chrome.md.
它如何運作
If you wanted to do an audit of the code, you would start with the brave-browser repository. Our wiki has instructions about what steps need to be done to perform a build after cloning the source
Chromium源碼被獲取
gclient工具(depot工具的一部分)將獲取官方的Chromium源代碼。 The tag that is fetched is captured in our package.json(for example,70.0.3538.35). All of the source code will be downloaded into the./src/folder
Brave代碼被獲取
作為設置過程的一部分,我們還會獲取我們自己的代碼。 The brave-core repository has the code that makes the browser Brave. The branch that should be checked out is also contained in that package.json. There is also a DEPS file in brave-core that pulls in sub-dependencies (such as the brave-extension)
運行鉤子
在gclient同步運行並獲取所有代碼(包括brave-core)後,會運行鉤子。 運行的一個鉤子會應用包含在brave-core中的補丁(您可以在此處查看)。 If you'd like to know more details about HOW the patching works, you can view our patching wiki page.
出於隱私/安全原因刪除哪些Chromium功能?
我們完全禁用的服務和功能
- Chrome Privacy Sandbox. There are several APIs bundled together in Privacy Sandbox and we aim to disable all given our concerns.
- Google帳戶集成("GAIA")已禁用
- 所有將數據發送到Google的功能都已從設置中刪除
- DNS預取已禁用
- Chrome Google URL跟踪器已禁用
- 域名服務可靠性已禁用
- 內聯擴展已禁用
- 後台同步已禁用
- Hyperlink
pingattribute is disabled - 停用電池API
- 停用WebBluetooth API
- 停用WebRTC調試日誌上傳
- 重置配置檔案後停用設定上傳
- 重置配置檔案後停用檢索OEM預設設定
- 停用崩潰記錄跟踪上傳
- 停用Google雲端訊息
- 停用Firebase雲端訊息
- 停用推送用戶端頻道更新
- 停用網絡時間追踪
- 停用Google協助的地址標準化
-
Specific features are disabled on startup via the CLI (search for
disabled_features) - 從Linux套件移除dl.google.com倉庫
- 停用度量報告
- 停用相似網址導航建議
- 停用報告觀察者和報告API
- 停用滾動至文本片段功能
- 停用運動感測器
- 停用navigator.credentials
- 停用Android OTP整合
- 停用SXG
- 停用NFC
- 停用WebBundles
- 停用用戶端提示(語言)
- 停用直接/原始套接字
- 停用閒置檢測
- 停用通知觸發器
- 停用檔案系統API
- 停用數字商品API
- 停用串行API
- 停用聯合學習群集(FLoC)
- 停用網絡資訊API
- SCT auditing
- Site affiliation fetcher (part of the password manager)
- Disables kOptimizationGuideFetchingForSRP
- Disable Web Environment Integrity
- Disable Popular Sites (AKA Top Sites)
- Disable Trust Tokens / Private State Tokens
穿越Brave伺服器的代理服務
Google不會收到任何關於執行這些請求的用戶端的資訊(甚至包括您的 IP 地址)。
- 安全瀏覽請求被代理
- 地理位置請求被代理
- 插件更新被代理
- 證書撤銷請求通過代理
- CRL集合的請求通過代理
- 組件更新請求通過代理
- 拼寫檢查字典請求通過代理
- 開發工具中的請求通過代理
- Requests for Search Engine page favicon (Android) are proxied
代理端點
https://dl.google.com/release2/chrome_component/*crl-set*https://*.gvt1.com/edgedl/release2/chrome_component/*https://*.gvt1.com/edgedl/chrome/dict/*.bdichttps://storage.googleapis.com/update-delta/hfnkpimlhhgieaddgfemjhofmfblmnib/.+crxdhttps://safebrowsing.googleapis.com/https://sb-ssl.google.com/https://safebrowsing.google.comhttps://ssl.gstatic.comhttps://gstatic.comhttps://update.googleapis.comhttps://chrome-devtools-frontend.appspot.comhttps://clients2.googleusercontent.comhttps://clients2.google.comhttps://clients4.google.comhttps://chrome-devtools-frontend.appspot.comhttps://accounts.google.comhttps://*.infura.iohttps://*.gvt1.com/edgel/chromewebstore/*/*https://*.gvt1.com/edgedl/release2/*/*http://dl.google.com/release2/*/*
修改的功能和特性
-
Cookies:
- Cookies are given a maximum lifetime of 7 days for cookies set through Javascript and 6 months for cookies set through HTTP
- Session Cookies are cleaned up on restart if "Continue where you left off" mode is enabled (which is default in Brave).
- Third-party cookies are always blocked at the HTTP header level, but we give JavaScript access to partitioned ephemeral storage to pages (learn more about partitioned ephemeral storage).
- The Battery API always returns a fixed value.
- Referrer values are capped to
strict-origin-when-cross-originand can only be tightened by referrer policy, not weakened. In addition, cross-origin requests from a.onionservice have an emptyRefererheader and anullOriginheader just like the Tor Browser. -
.onionentries are replaced with"null"indocument.location.ancestorOrigins()unless such entries are same-origin with the innermost frame. - Hangouts extension is disabled by default. We also disable log uploading to Google's servers: https://github.com/brave/brave-browser/issues/1993.
- 桌面端默認禁用了媒體路由(Chromecast)。您可以通過在brave://settings頁面切換開關來啟用。 您可以通過在 brave://settings 頁面切換開關來啟用它。
- 下載保護遠程查詢省略了 URL 和文件名 (https://github.com/brave/brave-core/pull/6763)。
- 讓 StorageManager.estimate 回報固定值 (問題 #11543)
- 許多功能中增加了隨機性或值的泛化以防止指紋識別,包括:
- 畫布回讀方法
- User Agent, follow ups in issues #12097, #12638, #14740
- enumerateDevices
- Web音頻Serialization
- WebGL調試
- 插件
- hardwareConcurrency
- deviceMemory
- The list of hostnames with pinned CA certificates is replaced with a Brave-specific one.
- 恢復異步剪貼板寫入訪問的手勢要求
- Dangerous download warnings are always shown when Safe Browsing is OFF, but a flag to disable the warnings is available for advanced users.
- Functionality from the Chromium side panel has been merged into the Brave Sidebar.
- Web Serial API is OFF but a flag to enable is available for advanced users.
- Enhanced the geolocation permission dialog to inform the user whether the site they are visiting has requested location data with the
enableHighAccuracyoption. - Reporting Observers are enabled but don't work (calling will no-op). See here for where it was disabled and see here for where it was re-enabled but made to do nothing.
- Open Search adding engines has a toggle (
Index other search engines) and is disabled by default. - Access to Storage Access API is disabled in Brave by always rejecting the permission request.
- When group policy is in place, Brave does NOT disable secure DNS. Chrome/Chromium will disable secure DNS in the UI and force the administrator to define a policy if they want a value other than
Off. See here and here.
評論
Some of the above (along with other issues) were previously tracked in https://github.com/brave/brave-browser/issues/13.
您可能會注意到一些請求到Google域名。 Some of these, such asclients*.google.com and update.googleapis.com are needed to check for extension updates if you installed extensions.
Brave與 ungoogled-chromium 的比較?
Description of ungoogled-chromium, per their GitHub page:
ungoogled-chromium 是Google Chromium,不包括與Google統合。 It also features some tweaks to enhance privacy, control, and transparency(almost all of which require manual activation or enabling).
We have an issue captured for pulling in relevant patches from theungoogled-chromiumproject. Theungoogled-chromiumproject similarly has an issue captured where they mention pulling in patches from Brave.