A browser that markets itself as privacy‑first should not be turning on a network discovery feature by default as if it were a trivial setting. If the Brave team’s operational goal is to expand the browser’s attack surface (more than they already have) they’ve made a strong start. Forcing users to manually opt out of Media Router to protect their systems and data directly contradicts the principle of “privacy by default.” This is exactly the kind of behavior many users left Chrome to avoid.
Media Router is not a harmless convenience toggle. Under the hood, it relies on automatic device discovery protocols such as SSDP and UPnP on the local network. That means the browser is actively participating in multicast discovery traffic and probing for devices that advertise casting endpoints. Enabling this behavior by default alters the browser’s network footprint and introduces additional code paths and interactions that would otherwise not exist.
Any feature that performs automated device discovery should be treated as a security‑sensitive capability. SSDP has a long history of being abused in poorly configured environments, and expanding the browser’s participation in that ecosystem increases the potential attack surface. At a minimum, it amplifies observable network activity and exposes extra logic that can be triggered by devices on the local network.
Quietly turning this on without user knowledge or explanation is the opposite of responsible security design. Users were not warned, not asked, and not given any transparency about what the feature does or which protocols it uses. That is not what “privacy by default” looks like.
If Brave wants its privacy claims to remain credible, this needs to change. Apparently Brave’s privacy branding is negotiable when convenience features are involved. Quietly enabling network discovery features in the background is exactly the sort of practice Brave claims to stand against.