Brave-browser: Allow shields to whitelist an entire site, including subdomains

Other users have also requested this functionality:

• https://twitter.com/nicksergeant/status/1169044157568077824

Any news? This is annoying as hell when I use https://codesandbox.io

Pinging this again. This is an incredibly necessary request, why has this sat here since July?

Yeah this would be useful

This would be a very useful feature

Need this feature too.

Also need this for using LogMeIn for work

This is a close to a deal breaker for me. absolute must have

I need this to get Google OAuth working.

Any news on this? I got plenty of apps within my company's domain and their number is growing constantly - I'd love to see this feature get through

cc: @rebron

I found this issue because I was looking for the same thing. It would be great to have a setting for doing this.

Brave currently does allow for whitelisting via the brave://adblock/ page using adblock syntax:

@@||ads.example.com/notbanner^$~script

or entire sites:

@@||example.com^$document

if the OP needs to whitelist logmein they should be able to do so (with all subdomains) by adding:

@@||logmein.com^

What's missing currently is the ability to add URLs or to use a custom schema like ABP has to subscribe to a list:

abp:subscribe?location=https%3A%2F%2Fwww.example.com%2Fwhitelist%2Fsample-whitelist.txt%26amp%3Btitle%3DExample%20Whitelist

Brave would likely be able to solve a number of extension compatibility issues if there was a programmatic way to add exceptions or to subscribe to lists so that extensions could provide configuration files that users could decide to enable to deal with compatibility issues.

Thanks @AdamSC1-ddg.

I just tried this with @@||wordpress.com^ as a quick test to whitelist all WordPress.com sites, but the shields are still operational on them.

Is there something I'm missing?

I've also tried the @@||wordpress.com^$document variant to no avail.

I tried the above and it didn't work for me either.

I had managed to get this to work a while ago when targeting Outbrain ads, but, having tried again there is an issue.

To further test this I noted that:

1. Custom filters do block. For example ||redditstatic.com^ will break Reddit.
2. Custom whitelisting will overrule custom blocks. For example, placing @@||redditstatic.com^ one line under ||redditstatic.com^ over rules the blocking.

It seems that it isn't the case that whitelisting in general isn't working - but, rather that we are unable to have whitelisting over rule built-in lists and regional lists. I would guess based on the order they are being applied in? (cc: @rebron @bsclifton )

(Also @Luminus - the rule @@||wordpress.com^ wouldn't turn off shields for all WordPress sites, it would prevent any request from WordPress.com from being blocked on any site.)

@AdamSC1-ddg thanks for the explanation.

So in essence, it isn't quite possible just yet to whitelist a domain and all its subdomains so that shields are down for them.

Is this something that you think will get implemented anytime soon?

@AdamSC1-ddg thanks for the explanation.

So in essence, it isn't quite possible just yet to whitelist a domain and all its subdomains so that shields are down for them.

Is this something that you think will get implemented anytime soon?

In theory doing @@||wordpress.com^$document should whitelist all calls (same as disabling shields) on wordpress.com and its subdomains. Where as @@||wordpress.com^ should whitelist all calls to WordPress from other sites.

Not sure why its failing, but, I tagged the Brave staff who were involved in that convo above so hopefully they can investigate a fix.

Multiple +1's from https://github.com/brave/brave-browser/issues/7680

Including this great list from @Brave-Matt:

Some additional reports:

• https://community.brave.com/t/shields-is-blocking-webgl-on-itch-io/81402
• https://community.brave.com/t/how-to-widen-scope-of-saved-site-exceptions/13715
• https://community.brave.com/t/cant-deny-all-and-whitelist-cookies-in-version-0-57-18/39166/2
• https://community.brave.com/t/bravew-shields-league-of-legends/78761
• https://community.brave.com/t/a-manually-edited-whitelist-of-sites/89953
• https://community.brave.com/t/testing-brave-shields/39899/3
• https://www.reddit.com/r/brave_browser/comments/bwt4sw/whitelist_with_wildcard/

Happy to find/add more if necessary.

cc: @rebron for triage

This is probably a reason to move back to Chrome. I really don't feel inclined to whitelist all our local IP addresses one by one...

@karenkliu Let's see if we can move this one along. We're looking for a list exception to turn off shields for specified domains. @AdamSC1-ddg mentioned using brave://adblock Custom Filter rules. a) It's possible we keep this as an advanced user feature and use the Custom Filter rules instead of adding UI to this. cc: @yrliou

We could also go with using b) brave://settings/content and introduce Shield settings here to manage a list or c) add a pref to brave://settings/shields. Or something else entirely.

@adamreisnz Thanks for the feedback and we do want to see why Brave users would possibly even consider moving back to Chrome and address those issues in a timely manner. With our speed and privacy advantages https://webtest.app/ we hopefully can keep you. Those seconds add up.

@rebron

. . . It's possible we keep this as an advanced user feature and use the Custom Filter rules instead of adding UI to this . . . Or something else entirely.

I just did a test where I whitelisted @@||api.amplitude.com^ via chrome://adblock/. When I reloaded the page, the call was still listed as being blocked

I would think this detailed view is a great place to add a slider toggle to whitelist a domain right from the UI, rather than having to load a separate advanced settings page. I believe this would be similar to the Ghostery ux-- "for website x, allow 3rd party calls to domain y"

My $0.02

I do not use Brave cause this. I preffer to keep using mozilla and NoScript, wich lets u whilelist sites and trackers one by one.

Having to unblock manually all the time is annoying.

+1 here, too. We have a huge number of internal pages which I could whitelist with one line, if this were possible.

+1

I'm trying to get out IT support over to Brave from Chrome, but this issue is preventing me recommending Brave currently. We use LogMeIn extensively and the URL for each session changes each time we connect, e.g.

https://testpc-zmddtrpcys.app03-32.logmein.com/

and cross-site trackers enabled breaks our ability to remote on to the machine. Yes, we can untick it each time but ideally we want to disable it for *.logmein.com.

Watching this thread with interest.

+1
I am unable to authenticate to portal.azure.com (Microsoft Azure management) because my company is integrating with Duo Security as an MFA provider. Brave is interpreting some aspect of the cross-site MFA process as Ad or Tracking related, and thus breaking authentication.

The redirects happen so fast that I am unable to manually open the Shields UI to disable Shields on all sites involved. Adding the sites I believe to be involved in the exchange to the brave://adblock white list (in both @@||site.com^ and @@||site.com^$document format) is ineffective.

I am falling back to use of Firefox for Azure access, but I would prefer to use Brave for everything. I can't recommend this product to colleagues until it is compatible with all of the tools that we need to use to get our jobs done.

Definitely need this resolved. My bank recently changed its authentication when you sign in and it takes you to a URL on a subdomain that has "shields up" But I can't white list by clicking the shield because then it reloads the page / can't login to bank b/c the authentication process is interrupted.

+1

C'mon,
Why is this still not fixed? Just add a button next to the cross-site trackers in the shield "disable".

This is a huge issue for adoption.

Adding a little color to my previous comment. The scope of our problem just grew from "administrative access to a cloud service management portal" to "all institutional access to email".

My employer (a major university in the northeast) currently is rolling out an MFA-everywhere initiative. Soon, all faculty, staff, and students will need to use our external MFA provider to access all institutional web services. At that point, it will be impossible for our constituents to use Brave for access to email, calendar, and collaboration tools. Without an easy mechanism to unblock Office 365 and Duo Security, Brave adoption here will drop to zero.

I'll add that I want this because without it _twitter embeds don't show emoji_

Here's an image that illustrates both how many emoji are blocked by the shield (well, a third of them) as well as what the tweet looks like without it.

Personally I basically think that blocking twitter emoji should be removed from Brave altogether—if there's an embedded tweet, twitter can already track you. It's probably in the adblock since those emoji are served from syndication.twitter.com.

Hiya away from twitter, @malcolmocean. It looks like adding @@||syndication.twitter.com^ to the brave://adblock/ custom blocklist would allow all requests to go through.

the rule @@||wordpress.com^ ... would prevent any request from WordPress.com from being blocked on any site.)
https://github.com/brave/brave-browser/issues/5290#issuecomment-573074690

(Unless you need cookies on those requests).

Is there a way to modify cookie settings for the page without loading it? Or modify the site-specific cookies settings globally, by domain?

I'm having an issue using Brave to read papers with a library proxy. Each new journal site has a new-journal-site.libproxy.univ.edu sub-domain, sometimes multiple redirects (e.g. for the journal's auth redirect).

It's tricky to coerce Brave to "recognize" it's on a domain so that I can update the site-shield settings. It would be sufficient (for me) to be able to update shield settings without successfully loading the domain. This might be too complicated given entanglement in Chromium network stack 😱

I love Brave, but this issue is causing my work to suffer. I am now forced to switch back to Chrome so I can do my job.

I second what everyone has already said. I also cannot check organisational email (hosted outlook with ADFS etc) without completely turning off the shield.

Unable to log into my switch within my LAN because of this... Brave is great but without this I have to open a different browser for managing my network.

I have issues with implementing privacy policies with Iubenda because of this.

On occasion an Office 365 website will fall into a redirect loop because of this. Today it was the forms app.