tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit b4b41e381bc7be90a90c5a2d30444f1a06b0dc70
parent a0c5761e78def509afb4e9866aa4b2f76967806a
Author: Kershaw Chang <kershaw@mozilla.com>
Date:   Tue,  6 Jan 2026 15:41:36 +0000

Bug 2004918 - Add nsIProxyInfo::ALWAYS_TUNNEL_VIA_PROXY flag, r=sstreich,necko-reviewers,ip-protection-reviewers

Differential Revision: https://phabricator.services.mozilla.com/D275606

Diffstat:

Mbrowser/components/ipprotection/IPPChannelFilter.sys.mjs | 5+++--


Mnetwerk/base/nsIProxyInfo.idl | 6++++++


Mnetwerk/base/nsProtocolProxyService.cpp | 3+++


Mnetwerk/base/nsProxyInfo.cpp | 5+++++


4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/browser/components/ipprotection/IPPChannelFilter.sys.mjs b/browser/components/ipprotection/IPPChannelFilter.sys.mjs
@@ -12,7 +12,8 @@ const lazy = XPCOMUtils.declareLazy({
     iid: Ci.nsIProtocolProxyService,
   },
 });
-const { TRANSPARENT_PROXY_RESOLVES_HOST } = Ci.nsIProxyInfo;
+const { TRANSPARENT_PROXY_RESOLVES_HOST, ALWAYS_TUNNEL_VIA_PROXY } =
+  Ci.nsIProxyInfo;
 const failOverTimeout = 10; // seconds
 
 const MODE_PREF = "browser.ipProtection.mode";
@@ -108,7 +109,7 @@ export class IPPChannelFilter {
           protocol.port,
           authToken,
           isolationKey,
-          TRANSPARENT_PROXY_RESOLVES_HOST,
+          TRANSPARENT_PROXY_RESOLVES_HOST | ALWAYS_TUNNEL_VIA_PROXY,
           failOverTimeout,
           fallBackInfo
         );
diff --git a/netwerk/base/nsIProxyInfo.idl b/netwerk/base/nsIProxyInfo.idl
@@ -117,4 +117,10 @@ interface nsIProxyInfo : nsISupports
    * do any form of DNS lookup ourselves.
    */
   const unsigned short TRANSPARENT_PROXY_RESOLVES_HOST = 1 << 0;
+
+  /**
+   * When set, force all requests to use an HTTP CONNECT tunnel
+   * through the proxy.
+   */
+  const unsigned short ALWAYS_TUNNEL_VIA_PROXY = 1 << 1;
 };
diff --git a/netwerk/base/nsProtocolProxyService.cpp b/netwerk/base/nsProtocolProxyService.cpp
@@ -2108,6 +2108,9 @@ nsresult nsProtocolProxyService::NewProxyInfo_Internal(
   proxyInfo->mPassword = aPassword;
   proxyInfo->mFlags = aFlags;
   proxyInfo->mResolveFlags = aResolveFlags;
+  if (aFlags & nsIProxyInfo::ALWAYS_TUNNEL_VIA_PROXY) {
+    proxyInfo->mResolveFlags |= nsIProtocolProxyService::RESOLVE_ALWAYS_TUNNEL;
+  }
   proxyInfo->mTimeout =
       aFailoverTimeout == UINT32_MAX ? mFailedProxyTimeout : aFailoverTimeout;
   proxyInfo->mProxyAuthorizationHeader = aProxyAuthorizationHeader;
diff --git a/netwerk/base/nsProxyInfo.cpp b/netwerk/base/nsProxyInfo.cpp
@@ -8,6 +8,7 @@
 
 #include "mozilla/net/NeckoChannelParams.h"
 #include "nsCOMPtr.h"
+#include "nsIProtocolProxyService.h"
 
 namespace mozilla {
 namespace net {
@@ -61,6 +62,10 @@ nsProxyInfo::nsProxyInfo(const nsACString& aType, const nsACString& aHost,
   } else {
     mType = kProxyType_DIRECT;
   }
+
+  if (mFlags & nsIProxyInfo::ALWAYS_TUNNEL_VIA_PROXY) {
+    mResolveFlags |= nsIProtocolProxyService::RESOLVE_ALWAYS_TUNNEL;
+  }
 }
 
 NS_IMETHODIMP