Brave Origin on Linux - What a Nyxt User Actually Sees
My primary browser is Nyxt. For anyone unfamiliar: it is a browser written in Common Lisp, controlled from a REPL, with every class and method overridable at runtime through a foreign-function interface that speaks to the underlying rendering process. Version 3.x embeds WebKitGTK as the renderer, which means the actual web-platform implementation — JavaScriptCore with its FTL tier, WebKit's DOM, WPE's compositor — is the same code that ships in Safari and GNOME Web. The Lisp process and the renderer process communicate through a foreign-interface layer designed to be swappable; a pre-release 4.x branch is replacing WebKitGTK with Electron precisely because the abstraction was built for this.
What you get from that architecture, as a daily user, is a browser in which the interface is cleanly separated from the renderer, and the interface happens to be Lisp code you can redefine while the browser is running. What you do not get is broad compatibility with the modern web. WebKitGTK's JavaScriptCore is a competent engine, but the web is written and tested against V8 and Blink; DRM video is implemented through third-party GStreamer plugins with limited codec support; sites that feature-detect Chromium's specific quirks assume you either are Chromium or you will fail their checks. In practice this means Nyxt handles maybe four websites in five, and I keep a Chromium-lineage browser around for the fifth.
That slot has been filled by Chromium, ungoogled-chromium, Firefox, Librewolf, and Brave over the years. I am writing this because Brave Origin was released on April 21. The technical decision behind it, especially on Linux at the build level, is actually more interesting than the way it is being marketed.
What Brave Origin actually is at the build level
Brave Origin ships in two variants, and this distinction matters because it is not what the Brave blog implies.
The first variant is a standalone build. Features are compiled out at the GN/ninja level, such as enable_brave_wayback_machine=false, enable_brave_vpn=false, and enable_speedreader=false, along with every other feature they remove. The binary does not include the code paths for Leo, Rewards, Wallet, VPN, Talk, Tor integration, News, Playlist, Speedreader, Wayback Machine, or Web Discovery Project. The C++ implementation of the crypto wallet is not behind a runtime flag; it is not linked in at all. The same applies to Leo's model-loading code, Rewards' BAT ledger logic, the VPN client, and the Tor launcher. This represents architectural subtraction, and anyone with a clone of brave/brave-core and the patience to compare the build flags can audit it.
The second variant is an upgrade mode on top of standard Brave. It changes runtime preferences to disable the same features without removing the code. This approach is genuinely less honest. The features still exist in the binary, and the attack surface stays the same. A user who wants to re-enable any of these features can do so through a settings panel. Brave markets both options as "Brave Origin," but only the standalone build is truly minimal.
On Linux, both variants are free. On other platforms, both cost $60 for up to 10 devices, tracked through a Privacy Pass blind-token scheme (decoupling the payment identity from the license check — reasonable crypto, debatable business model). The Linux exception is not explained in the official announcement. The implicit logic is defensible: Linux users were either going to strip the features themselves through policy files and custom builds, or avoid Brave entirely. Charging them produces no revenue and significant negative press. Giving it away on Linux is a cheap PR move that happens to benefit the audience most likely to notice.
Which is why I am writing about it.
The ad blocker is why this matters
Brave's interesting piece, from an architectural standpoint, is not the privacy theatre around Rewards or the Web3 integration. It is adblock-rust — the MPL-2.0 licensed Rust library that handles network-level content blocking, and how it hooks into Chromium.
Every other Chromium-based ad blocker works through the extension API. In Manifest V2 this meant chrome.webRequest.onBeforeRequest with the blocking option — synchronous callbacks to JavaScript that could inspect and cancel requests. Manifest V3 removed the synchronous blocking form; extensions must now register static declarative rules through declarativeNetRequest, with a hard rule count limit (30,000 static rules per extension, 5,000 dynamic) and no ability to inspect request bodies. EasyList alone has tens of thousands of rules; uBlock Origin's effective rule set runs well above 300,000 entries. Manifest V3 made the extension-based ad-blocker architecture structurally inadequate for the lists that actually exist.
Brave's shields do not use the extension API at all. The adblock-rust engine is linked directly into the browser's network service and intercepts requests at the URLLoaderFactory layer, which is below the entire extension system. Requests are classified in roughly 5.6 microseconds per entry according to Brave's 2019 benchmarks — the exact number is not important, but the order of magnitude is: fast enough that the cost of running every request against a 300,000-rule list is invisible in frame-budget terms. This is not a privacy feature dressed as performance. It is a different place in the architecture entirely.
The practical consequence is that adblock-rust in Brave does things no Chrome extension running on Chrome can do, by design of Chrome's extension API restrictions. It inspects every network request including the ones that are invisible to extensions (CORS preflights, navigation requests, certain subframe loads). It can modify requests, not just cancel them. It integrates with cosmetic filtering at the renderer level through a separate IPC channel, applying CSS-based hiding rules that are scoped per-origin and per-frame.
This is the reason I am willing to consider a Chromium-lineage browser at all. The network-layer blocking is genuinely better than what a Manifest V3 world allows extensions to do, and it will remain so for as long as Google owns Chromium's extension policy.
Farbling, honestly
The other architecturally interesting piece is Brave's "farbling," which refers to their method of applying per-origin deterministic randomization to distinguishable APIs. This is not a blanket spoof. It works like this:
A cryptographically seeded pseudo-random noise function is constructed per-origin per-session. Canvas reads (getImageData, toDataURL, toBlob) pass through this function, adding low-amplitude pseudo-random perturbations to the pixel output. AudioContext reads (getChannelData, copyFromChannel, and AnalyserNode methods after brave/brave-browser#42356 was fixed in late 2024) pass through a similar farbling helper. Similar perturbations are applied to WebGL readbacks, navigator.hardwareConcurrency, the order returned by enumerateDevices, and several other surfaces. The noise is deterministic for a given (origin, session) pair — which preserves site compatibility — and different across origins, which defeats naive cross-site linking.
This is a different approach from Tor Browser's, which disables the relevant APIs entirely, which attempts to make every browser report identical values.
Brave Origin inherits the farbling stack unchanged. This is the right call — these defenses are genuinely useful, even if not bulletproof, and they are implemented at the Blink/V8 layer where an extension could not reach them.
What Origin actually removes, in order of what I cared about
Ranked by how much each removal actually improved my browser's behaviour:
Web Discovery Project. This was a telemetry pipeline that submitted anonymized browsing metadata — specifically, URLs visited, search queries issued, and some page structure data — back to Brave's servers, with a claim that the data was stripped of identifying elements client-side before transmission. The implementation is open source and the anonymization is real. I still did not want it running. Compiling it out means I do not have to trust the anonymization to be correctly implemented forever; I only have to trust that the build flag does what it says, which is much easier to verify.
P3A (Privacy-Preserving Product Analytics). Usage metrics, crash reports, daily pings. All nominally anonymized through k-anonymity and differential privacy techniques. All removed in Origin. Same reasoning as above: I do not want to audit an anonymization pipeline continuously. I want the traffic to not happen.
Rewards and the BAT ledger. The crypto wallet for receiving Basic Attention Token in exchange for viewing ads. The backend code for this — ledger synchronization, promotion claim, balance management — is substantial. Removing it removes entire classes of bugs that could expose value or leak information. It also removes the UI surface that was never going to stop nagging me to enable it.
Leo (the AI assistant). A client for Brave's hosted LLM inference. Removes the feature, obviously. Also removes the code paths that send prompt content to Brave's inference servers. I run local inference with ollama; I do not need another LLM integration, and certainly not one that requires trust in a third-party hosted backend.
Tor integration. Removed. Slightly controversial — the private-window-with-Tor feature was genuinely useful as a low-friction way to route occasional traffic through Tor. But the Brave implementation was always inferior to just running Tor Browser when you want Tor, and removing it removes the risk of misuse (users assuming private-Tor-windows are actually protecting them when several identifying channels leak around them). The right tool for Tor is Tor Browser. Brave's integration was a sharp edge.
Brave VPN. On Linux, the Brave VPN has never worked properly — the firewall integration the client relies on on Windows and macOS has no clean Linux equivalent and the feature was permanently broken for me. Origin removes the non-functional client code entirely. Net improvement.
Speedreader, Wayback Machine, Talk, News, Playlist. Mixed. Speedreader (a reader-mode implementation) and Wayback Machine integration were both genuinely useful occasionally. Talk (WebRTC video calling via Jitsi), News (an RSS reader), and Playlist (offline video queue) I never used. The upgrade variant of Origin leaves these features in the binary and toggles them off, which is the right call if you want to re-enable Speedreader selectively. The standalone variant removes them entirely.
Nyxt architecture, and why a Chromium fork does not replace it
The reason I use Nyxt is not that it is private, though it is private-by-accident in the sense that it ships no telemetry because it ships no features anyone could use to monetize telemetry. The reason I use Nyxt is that I can type M-x and get a command palette, type C-x b and get a buffer list, define a new command by writing a Common Lisp function and having it hot-loaded, and override browser behaviour by redefining a class method at the REPL while the browser is running. None of this is possible in any Chromium fork and none of it will be possible in the foreseeable future. The extension APIs Chromium exposes are specifically designed to prevent this level of control, because the level of control a power user wants and the level of control a malicious extension wants are indistinguishable from the browser's perspective.
What Brave Origin is, architecturally, is a Chromium fork with the commercial features compiled out, a network-level content blocker that bypasses the extension-layer restrictions Google imposed, and a tracking-resistance stack implemented at the renderer engine level where extensions cannot reach. That is a defensible technical position and it is the best available answer to the question "what Chromium do I install when Nyxt cannot handle the site." It does not replace Nyxt, because it cannot. It replaces Chrome, and it replaces the previous-generation Chromium forks I have rotated through, because the architecture is genuinely better.
On Linux, the cost of finding out whether this is true for you is zero. The binary exists. Run it. Audit the process tree, inspect the network activity at startup, strace the first thirty seconds of a cold launch and see what it actually does. I did. It does what it says.
That is the most I have ever been able to say about a mainstream browser.