Use localhost-permission-allow-list.txt to decide which websites to prompt for

[ShivanKaul]

If localhost permission is not already given, only prompt if requesting URL is on allowlist which will be shipped as a component update.

1. This list will live at https://github.com/brave/adblock-lists/tree/master/brave-lists. PR: Create localhost-permission-allow-list.txt adblock-lists#1156
2. The localhost-permission-allow-list.txt will be bundled in Brave Local Data Updater similar to debounce.json or https-exceptions-list.txt. PR: Package localhost-permission-allow-list.txt brave-core-crx-packager#620
3. Currently localhost connections are blocked via adblock: https://github.com/brave/adblock-lists/blob/master/brave-lists/brave-specific.txt#L1-L12. We will remove those once we have the new list in place.

If a user goes into brave://settings/content/localhostAccess and adds a website to Allow or Deny we should honour that first.

[kjozwiak]

@brave/qa-team this one can be completed at the same alongside #30151.

[stephendonner]

Verification PASSED using

Brave	1.53.76 Chromium: 114.0.5735.90 (Official Build) beta (64-bit)
Revision	386bc09e8f4f2e025eddae123f36f6263096ae49-refs/branch-heads/5735@{#1052}
OS	Windows 10 Version 22H2 (Build 19045.3031)

Shared Steps:

1. installed 1.53.76
2. launched Brave
3. set brave://flags/#brave-localhost-access-permission to Enabled
4. clicked Relaunch
5. added the following:

# https://shivankaul.com/brave/localhost/
shivankaul.com

6. to localhost-permission-allow-list.txt in C:\Users\steph\AppData\Local\BraveSoftware\Brave-Browser-Beta\User Data\afalakplffnnnlkncjhbmahjfjhmlkal\1.0.342\1
7. created a tests dir on my desktop
8. placed a logo.png file in the same directory
9. ran python3 -m http.server 8000, also from tests

example	example	example

Subresource test - PASSED

(continued from Shared Steps)

1. added @@||localhost^$domain=shivankaul.com to Create custom filters in brave://settings/shields/filters
2. loaded https://shivankaul.com/brave/localhost/subresource.html
3. confirmed I was prompted to Allow or Block
4. clicked Allow
5. confirmed my logo.png loaded
6. confirmed https://shivankaul.com:443 appeared under Allowed to access localhost resources, in brave://settings/content/localhostAccess
7. repeated, this time clicking Block
8. confirmed logo.png showed a broken-image placeholder
9. confirmed https://shivankaul.com:443 appeared under Not allowed to access localhost resources in brave://settings/content/localhostAccess

Custom filter rule	localhost-permission prompt	Allowed	Blocked	Allowed to access...	Not allowed to access...

iframe test - PASSED

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/iframe.html
2. confirmed I was prompted to Allow or Block
3. clicked Allow
4. confirmed my logo.png loaded
5. confirmed https://shivankaul.com:443 appeared under Allowed to access localhost resources, in brave://settings/content/localhostAccess
6. repeated, this time clicking Block
7. confirmed logo.png showed a broken-image placeholder
8. confirmed https://shivankaul.com:443 appeared under Not allowed to access localhost resources in brave://settings/content/localhostAccess

Custom filter rule	localhost-permission prompt	Allowed	Redirect	Blocked	Allowed to access...	Not allowed to access...

localhostAccess-priority test - PASSED

(continued from Shared Steps)

Allowed test case

1. added shivankaul.com to Allowed to access localhost resources, in brave://settings/content/localhostAccess
2. loaded https://shivankaul.com/brave/localhost/subresource.html
3. confirmed no localhost-permissions prompt dialog

Confirmed logo.png rendered

example	example

Not allowed test case

1. added shivankaul.com to Not allowed to access localhost resources in brave://settings/content/localhostAccess
2. loaded https://shivankaul.com/brave/localhost/subresource.html
3. confirmed no localhost-permissions prompt dialog

Confirmed logo.png didn't render; only a broken-image icon, in its place

example	example

[stephendonner]

Verification PASSED using

Brave	1.53.81 Chromium: 114.0.5735.90 (Official Build) beta (x86_64)
Revision	386bc09e8f4f2e025eddae123f36f6263096ae49-refs/branch-heads/5735@{#1052}
OS	macOS Version 11.7.7 (Build 20G1345)

Shared Steps:

1. installed 1.53.81
2. launched Brave
3. set brave://flags/#brave-localhost-access-permission to Enabled
4. clicked Relaunch
5. added the following:

# https://shivankaul.com/brave/localhost/
shivankaul.com

6. to localhost-permission-allow-list.txt in /Users/stephendonner/Library/Application Support/BraveSoftware/Brave-Browser-Beta/afalakplffnnnlkncjhbmahjfjhmlkal/1.0.344/1
7. created a tests dir on my desktop
8. placed a logo.png file in the same directory
9. ran python3 -m http.server 8000, also from tests

brave://flags	localhost-permission-allow-list	python3 -m http.server 8000

Subresource test - PASSED

(continued from Shared Steps)

1. added @@||localhost^$domain=shivankaul.com to Create custom filters in brave://settings/shields/filters
2. loaded https://shivankaul.com/brave/localhost/subresource.html
3. confirmed I was prompted to Allow or Block
4. clicked Allow
5. confirmed my logo.png loaded
6. confirmed https://shivankaul.com:443 appeared under Allowed to access localhost resources, in brave://settings/content/localhostAccess
7. repeated, this time clicking Block
8. confirmed logo.png showed a broken-image placeholder
9. confirmed https://shivankaul.com:443 appeared under Not allowed to access localhost resources in brave://settings/content/localhostAccess

Custom filter rule	localhost-permission prompt	Allowed	Blocked	Allowed to access...	Not allowed to access...

iframe test - PASSED

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/iframe.html
2. confirmed I was prompted to Allow or Block
3. clicked Allow
4. confirmed my logo.png loaded
5. confirmed https://shivankaul.com:443 appeared under Allowed to access localhost resources, in brave://settings/content/localhostAccess
6. repeated, this time clicking Block
7. confirmed logo.png showed a broken-image placeholder
8. confirmed https://shivankaul.com:443 appeared under Not allowed to access localhost resources in brave://settings/content/localhostAccess

Custom filter rule	localhost-permission prompt	Allowed	Redirect	Blocked	Allowed to access...	Not allowed to access...

localhostAccess-priority test - PASSED

(continued from Shared Steps)

Allowed test case

1. added shivankaul.com to Allowed to access localhost resources, in brave://settings/content/localhostAccess
2. loaded https://shivankaul.com/brave/localhost/subresource.html
3. confirmed no localhost-permissions prompt dialog

Confirmed logo.png rendered

example	example

Not allowed test case

1. added shivankaul.com to Not allowed to access localhost resources in brave://settings/content/localhostAccess
2. loaded https://shivankaul.com/brave/localhost/subresource.html
3. confirmed no localhost-permissions prompt dialog

Confirmed logo.png didn't render; only a broken-image icon, in its place

example	example

[MadhaviSeelam]

Verification PASSED using

Brave | 1.53.85 Chromium: 114.0.5735.110 (Official Build) beta (64-bit)
-- | --
Revision | 1c828682b85bbc70230a48f5e345489ec447373e-refs/branch-heads/5735_90@{#13}
OS | Linux

Shared Steps:

1. installed 1.53.85
2. launched Brave
3. set brave://flags/#brave-localhost-access-permission to Enabled
4. clicked Relaunch
5. added the following:

# https://shivankaul.com/brave/localhost/
shivankaul.com

6. to localhost-permission-allow-list.txt in ~/.config/BraveSoftware/Brave-Browser-Beta/afalakplffnnnlkncjhbmahjfjhmlkal/1.0.348/1
7. created a tests dir on my desktop
8. placed a logo.png file in the same directory
9. ran python3 -m http.server 8000, also from tests

example	example	example

Subresource test - PASSED

(continued from Shared Steps)

1. added @@||localhost^$domain=shivankaul.com to Create custom filters in brave://settings/shields/filters
2. loaded https://shivankaul.com/brave/localhost/subresource.html
3. confirmed I was prompted to Allow or Block
4. clicked Allow
5. confirmed my logo.png loaded
6. confirmed https://shivankaul.com:443 appeared under Allowed to access localhost resources, in brave://settings/content/localhostAccess
7. repeated, this time clicking Block
8. confirmed logo.png showed a broken-image placeholder
9. confirmed https://shivankaul.com:443 appeared under Not allowed to access localhost resources in brave://settings/content/localhostAccess

Custom filter rule	localhost-permission prompt	Allowed	Blocked	Allowed to access...	Not allowed to access...

iframe test - PASSED

(continued from Shared Steps)

1. loaded https://shivankaul.com/brave/localhost/iframe.html
2. confirmed I was prompted to Allow or Block
3. clicked Allow
4. confirmed my logo.png loaded
5. confirmed https://shivankaul.com:443 appeared under Allowed to access localhost resources, in brave://settings/content/localhostAccess
6. repeated, this time clicking Block
7. confirmed logo.png showed a broken-image placeholder
8. confirmed https://shivankaul.com:443 appeared under Not allowed to access localhost resources in brave://settings/content/localhostAccess

Custom filter rule	localhost-permission prompt	Allowed	Redirect	Blocked	Allowed to access...	Not allowed to access...

localhostAccess-priority test - PASSED

(continued from Shared Steps)

Allowed test case

1. added shivankaul.com to Allowed to access localhost resources, in brave://settings/content/localhostAccess
2. loaded https://shivankaul.com/brave/localhost/subresource.html
3. confirmed no localhost-permissions prompt dialog

Confirmed logo.png rendered

example	example

Not allowed test case

1. added shivankaul.com to Not allowed to access localhost resources in brave://settings/content/localhostAccess
2. loaded https://shivankaul.com/brave/localhost/subresource.html
3. confirmed no localhost-permissions prompt dialog

Confirmed logo.png didn't render; only a broken-image icon, in its place

example	example

Disable the setting Sites can request access to localhost resources - PASSED

(continued from Shared Steps)

1. toggle OFF Sites can request access to localhost resources in brave://settings/content/localhostAccess
2. load https://shivankaul.com/brave/localhost/subresource.html

Confirmed no localhost-permissions prompt dialog

Confirmed logo.png didn't render; only a broken-image icon, in its place

example	example

[hffvld]

Verified on Pixel 5 using version(s):

Device/OS: Pixel 5 [redfin-userdebug 13 TQ2A.230405.003 dev-keys]
Brave build: 1.56.6
Chromium: 115.0.5790.90 (Official Build) (64-bit)
Revision: 86fb9d04c92b490e6cc0026ca58cb1a98735eea3-refs/branch-heads/5790@{#1583}

Filed issue #31683

STEPS:

1. Install 1.56.x build > Launch Brave
2. Set brave://flags/#brave-localhost-access-permission to Enabled > Relaunch Brave
3. Add the following:

# https://shivankaul.com/brave/localhost/
shivankaul.com

3. to localhost-permission-allow-list.txt in ~/data/data/com.brave.browser/app_chrome/afalakplffnnnlkncjhbmahjfjhmlkal/1.0.383/1
4. Install Simple HTTP server (by Phlox Development) from GPS on Android device
5. Launch the app, allow necessary app permissions and start the server with default values. Confirm status is running
6. Relaunch Brave app, open new tab and navigate to http://localhost:8000 in the url bar, confirm you are able to access localhost server
7. Open terminal window and make sure device is connected via adb. Confirm app data folder location for simple http server by using the following command: adb shell ls /storage/emulated/0/Android/data/com.phlox.simpleserver/files
8. If simple http server is not found in this path, locate it in the device storage by searching in directories in /storage
9. Download logo.png in the below images and cd into the directory containing the downloaded image. Use this adb command to push the png to the http server root directory in the android device: adb push ./logo.png /storage/emulated/0/Android/data/com.phlox.simpleserver/files/logo.png
10. Update the tab where localhost is running in brave app and it should now show the logo.png in the root directory. Tap on the file in the list to open the logo image
11. Navigate to brave://adblock and enter this rule in the custom ad block field @@||localhost^$domain=shivankaul.com
12. Open https://shivankaul.com/brave/localhost/ and go through the URLs > Verify

1	2	3
1	2	3

ACTUAL RESULTS:

• Verified that loading subresource https://shivankaul.com/brave/localhost/subresource image test page will prompt user with permission dialog
• Verified that loading service worker https://shivankaul.com/brave/localhost/sw image test page will prompt user with permission dialog
• Verified that loading websockets https://shivankaul.com/brave/localhost/ws_client image test page will prompt user with permission dialog
• Verified that loading iframe https://shivankaul.com/brave/localhost/iframe image test page will prompt user with permission dialog
• Verified that that allowing localhost permission on test pages will load the resource
• Verified that Ensured selecting localhost permission will set the appropriate exception for the domain under localhost in site settings
• that loading https://shivankaul.com/brave/localhost/subresource image test page will prompt user with permission dialog

---

subresource	service worker
websockets	iframe
Allowed	Allowed
Blocked	Blocked