Brave-browser: Add extensions to Tor windows

Allowing extensions in private windows or tor may leave browsing history , traces, cache, cookies & other things . Look at the warning in the picture below. I don't know with high certainty though.

@Techguyprivate Totally forgot about that hidden toggle, thanks a bunch! Only works for incognito, but it seems from the comments below that Tor extensions are being worked on

cc: @posix4e do you have an update?

Yep we have been working for this and we have something soon. I'll have my friend helping speak up on the issue.

For sure, started looking into adding privacy pass for tor

@durch Is my friend helping on the project.

The controls should eventually be the same for Tor windows — just another toggle. But to do that, we ned to get a way from from using guest windows as the basis for Tor, and rebuild them as another type of session more like regular private windows.

@tomlowenthal So confirming the steps are

• [ ] Rewrite the tor browser mode to work like private mode and remove the existing tor code
• [ ] Add the ability to add an arbitrary extension to brave tor
• [ ] Add privacy pass extension by default in tor mode. Should we support it with other modes as well?

Do we wanna install this extension by default, or just keep brave users hitting a ton of captchas til they install the extension?

@posix4e I hate captchas and I wasn't even aware of Privacy Pass until you just now mentioned it, and now that you did I'm definitely installing! :sweat_smile:

I think we can safely assume that users would prefer a default installed extension to having to solve numerous captchas to the point of frustration and then only _possibly_ researching for a solution (most would probably remain ignorant like myself). TorBrowser does the same thing with the "HTTPS Everywhere" extension and many others. Also, Privacy Pass is BSD-3 open source.

Also I found this other well-reviewed and open source anti-CAPTCHA extension, Buster

After further the discussion we will

• add in privacy pass support by default into tor mode, and hopefully spruce it up so it’s nice
• we will simultaneously add extension support while keeping a close lookout for security and privacy related issues as we go

i came here to request extensions in tor just so that i could add privacy pass
tor mode on the light web is literally unusable because of the cloudflare recapcha, which most of the time doesnt even let you complete the capcha, because the ip had already been spamming them and they flat out blocked it

Just an update, we're ramping up here, hopefully we'll have something to show soonish :)

Looking forward for this, thanks!

Any progress since March 5?

Any progress?

We have a PR to add the Privacy Pass extension here -> https://github.com/brave/brave-core/pull/2576. Extensions in TOR are WIP here -> https://github.com/brave/brave-core/pull/2724, once both of those wrap up PP will be a part of Brave and will be usable in both Private and Tor modes.

"Once both of those wrap up" is a rather fuzzy estimate.

"Once these two prerequisites that have been stalled for months without any sign of progress (apart from bumping the target milestone without explanation) are satisfied, we will have this feature like immediately-ish".

Any update on this? We understand the preliminary cautions that should be taken, but for rather secure extensions e.g; NoScript, just as it's in TOR Browser. This would be an added benefit to be available in Brave TOR Windows.

Seriously? No progress in over a year now?

Seems like Brave is a gimmick to me as you should let users choose from what they want to do with extensions. Even the official Tor Browser does not disallow this. Also, those who use Tor Browser are likely to be aware about such privacy implications.

Honestly, after reading your latest blog entry, seems like Brave is sleeping with advertisement authorities.

_"Hide Privacy-Harming Ads, But Leave Privacy-Respecting Ones
While Brave uses many of the same filter lists that other tracking and ad blocking tools use, Brave’s mission differs from existing filter list using tools; Brave aims to protect privacy and browsing aesthetics, without harming sites that are privacy-respecting. Put differently, Brave aims to block third-party trackers and ads (which are, in practice, often indistinguishable), without affecting solely first party ads."_

Let the users decide.

No update as of yet; I shared with team. Will ask if someone can update. I know that no progress has been made in one year, but every issue (we have over 2,100) has a priority and work is done in that order

Pull requests are welcome if folks have cycles to handle this

Hope something's been done about it soon. I know about project priorities but it is a practice followeded by major browsers and only Brave seems to move in other direction with no supportive answer so far to not do this.

Countries censor websites people want to browse >> people use tor >> cloudfare, apparently hosts almost all these sites and won't allow tor browsers to access even when we are not a bot!

Brave's tor window is turning out to be very limitedly useful without the ability to use extension to bypass the terrible captchas.

I am fully aware of the privacy implications of allowing certain extensions to run within a Tor session. Being able to override this even with a big fat warning dialog popping up would be nice. Really nice.

It would also be really nice to not have my accessibility tools needlessly taken away from me just for wanting to browse the web more securely. I guess I'll just go back to Firefox when trying to do that for the time being. Oh well.

Hope this gets fixed soon. I'd prefer that my user preference(s) be respected by a piece of software such as a web browser... sometimes even if my preferences are a bad idea.

@rvklein Does Brave not even allow noscript in tor windows?

@SHHSSH you can should be able to disable scripts on a per-host basis using shields, but the disabling is not remembered

@bsclifton How would that really function for forward browsing though? You'd need a whitelist that is defaulted to allow incoming scripts, otherwise it would work too well by defaulting to disable incoming scripts, therefore the site malfunctions. Anyone could manually enable the required components, but it becomes tedious.

Sure, if you're just using the one site it's no issue, but if you're browsing it's a different story. Now I know some may think, who browses on TOR? Isn't that contradicting of its main purpose to a degree? Well, like you somewhat indicated, if you're prioritising a particular site you'd become accustom to trusting links from sources, hence external/forward browsing.

All this could be resolved by allowing certain extensions to be enabled in TOR Windows. Are there any other discussions or documentation that Brave, as a team, has briefed and touched upon in regards to TOR Windows? Is it a little under the rug atm?

EDIT And look, I get that there are hundreds of other things coming up, and you could easily just palm off alot of these "issues" with a "why don't you just use TOR then" -but there just may be a small group of users who are utilising the Tor Window Feature in your browser and you don't want to disassociate from them. If anything, you seem to want to have it as a primary feature, so it should be developed a little further. Thanks for all you do.

For future readers - keep an eye on - https://github.com/brave/brave-core/pull/3319 & https://github.com/brave/brave-browser/projects/11#card-16310743

@NuBz-GeN there are a lot of things to work through and this does have a priority set (relative to other priorities). There was a person working on this over a year ago but that work had been put on hold.

cc: @darkdh who has been solving other Tor issues and @diracdeltas who is familiar with prior work done

I believe @darkdh is looking at this now - can you confirm? 😄

Currently working on moving tor from session profile to OTR profile (https://github.com/brave/brave-browser/issues/12429) which will be the ground work for extension support. So I will work on this issue next.