What various browsers call upon initial launch

appels and oranges.
brave is chromium based, firefox not. first is service, amazon is AWS cloud services from mozilla, same for akamai IMO for widevine/gmp. internal updates.
but as visible brave do similar, make your conclusion.

was futile since beginning - from my view. ssl is not really a gain if you dont use sensible data. and it can lead to mixed content pages.

 

Well, I do think it's a problem, I believe that when certain features are disabled, a browser should make zero connections. Who knows what data they are collecting.

 

It's still a partial gain in a simple, yet elegant manner by whitelisting only selected https top level domains, even though there's lots of malicious activity, especially on the .com domains. If I get re-directed to a http site or one with a specific IP address, or another country TLD, javascript will be denied. Of course, this javascriot whitelisting isn't the only browser hardening I have in place. It does nicely augment all other hardening I've put in place.

 

EFF's page explains the attack roughly. Adding to it, if you're careful enough to notice either (1) the lock icon disappeared (attacker simply used http page) or (2) the domain is spoofed (example.com → examp1e.com: attacker used a malicious https page), you'll be safe in most of cases. But the javascript is not relevant to this attack.

The security benefit of disabling javascript are: (1) preventing XSS, (part of) CSRF, etc. (2) memory corruption exploit (e.g. foiling heap-spraying) & (3) Magecart style attack. For (1) right strategy is never to allow javascript for your important pages when you're on other sites (i.e. allow script only when the URL bar displays yourbanking.com). For (2) nothing is sure, but more and more criminals are abusing https for several reason (e.g. bypass NIPS). And for (3) the 2nd-best is blocking 3rd party script by default (the best is to deny every script and control XHR, which will not be easy to manage for many ppl). In all cases, I don't see much sense of disabling script on http sites but not on https sites.

 

Then only options will be a text browser like Lynx, or using firewall to block these connection. Modern browsers have been evolved too much so they're no more just for what-was-once-called web surfing and make connections to ensure its function and user's (i.e. common people) security. Making connection does not necessarily mean sending data.

 

I also use uBlock Origin for script control on all web sites, and a firewall for remote restrictions. Keep in mind too that the browser script control I have in place will default deny foreign domains and IP based remote connections as well.

 

I see, I originally just meant disabling javascript does not eliminate the benefit of Https Everywhere. What is needed to prevent the aforementioned attack (in addition to being careful for URL bar): always go to your important sites directly via bookmark or password manager and use trusted VPN on free wifi or at least encrypt DNS traffic (less secure). It's also no harm to check whether all your important sites are included in HSTS preload list.

I personally don't have the addon, not because Brave already has it incorporated (I also use Fx), but as a matter of choice. For mixed contents modern browsers already block active contents which is mostly enough when you follow best practice, but u can also block remnants both on Fx (about:config) & Chromium (command-line) if u want.