← All tests

Google Font Loading

Loads a web font from Google's servers (fonts.googleapis.com / fonts.gstatic.com) and checks whether the download actually succeeded.

google-font-loading/

Cache Storage Clearing

Tests whether 'Forget me when I close this site' clears the Cache Storage API (window.caches) after the site is closed.

cache-storage-clearing/

Local Frames Tests

Tests for security and privacy behavior inside about:blank and other local iframes — content filtering, cookies, JS fetch, mixed content, network scan, permissions, and secure content.

local-frames/

Canvas Farbling Cross-Site

Draws an identical canvas on both sites and measures how much Brave's per-eTLD+1 farbling actually changes the readback.

canvas-farbling/

Payment Request API Language Fingerprint Bypass

Tests whether the Payment Request API leaks the full Accept-Language header even when 'Prevent sites from fingerprinting me based on my language preferences' is enabled. Brave reduces Accept-Language in BraveProxyingURLLoaderFactory, but PaymentManifestDownloader fetches manifests through the browser-process URLLoaderFactory (kPaymentRequestUseRendererUrlLoader is disabled by default), which is not proxied, so the full language list leaks.

payment-request-language-bypass/

Incognito Detection via Timing Side-Channels

Tests whether timing differences in IndexedDB durability modes, OPFS SyncAccessHandle flush, and CacheStorage operations can reveal private browsing mode. Covers three detection methods reported in brave-browser#56009.

incognito-detection-timing/

Blob URL Farbling Bypass

Tests whether Brave's fingerprinting farbling protections apply to blob: URLs opened in a new tab. Blob pages bypass the SchemeIsHTTPOrHTTPS check in GetBraveShieldsEnabled(), leaking real screen size, hardwareConcurrency, deviceMemory, languages, and user agent.

blob-farbling-bypass/

Ephemeral Third-Party Storage Clearing

Tests whether storage written by a cross-site iframe is cleared after the embedding first-party site is closed or navigated away from.

ephemeral-3p-clearing/

Viewport Units (svh/lvh/dvh)

Tests whether the browser correctly distinguishes svh, lvh, and dvh viewport units on mobile, per CSS Values Level 4.

viewport-units/

Viewport Keyboard Resize

Tests whether the browser incorrectly resizes the layout viewport when the virtual keyboard appears.

viewport-keyboard/

Noscript Subdomain Redirect

Tests whether browsers protect against <noscript>-based permanent redirects to a subdomain when JavaScript is disabled.

noscript-redirect/

Storage Quota Fingerprinting

Tests whether storage quota APIs leak different values in normal vs. private browsing, enabling incognito detection. Covers both the modern navigator.storage API and the legacy webkitTemporaryStorage API.

storage-quota-fingerprint/

De-AMP Content-Disposition: attachment Bypass

Tests that AMP pages served with Content-Disposition: attachment are downloaded, not De-AMPed.

de-amp-download/

Server-Side Redirect

Tests browser behavior on a server-side 302 redirect to a cross-site destination (lobste.rs).

server-redirect/

De-AMP Sec-Fetch-Site Bypass

Tests whether De-AMP redirects preserve the cross-site hop in the Sec-Fetch-Site header.

de-amp/

Third-Party Cookies

Tests whether a cross-site iframe can read cookies set when its origin was top-level.

third-party-cookies/

Storage Access API

Tests whether a cross-site iframe can regain access to its first-party cookies via the Storage Access API.

storage-access/

window.name Clearing

Tests whether the browser clears window.name on cross-origin navigations.

window-name-clearing/