Open Bug 1377509 Opened 3 years ago Updated 10 months ago

Enable Fennec to populate first party domain as socks username

Categories

(Firefox for Android :: General, enhancement, P5)

enhancement

Tracking

()

People

(Reporter: tjr, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor-mobile])

Tor on Desktop populates the SOCKS username, which is used by Tor to provide a different circuit per tab. We should enable this same behavior in Fennec.
Amogh and/or Arthur, could you expand on what it is we need to do specifically for this?
Flags: needinfo?(arthuredelstein)
Flags: needinfo?(amoghbl1)
Tor Browser (desktop) creates a new Tor circuit for each first-party domain (URL bar domain). So two tabs (and all associated requests) with the same first-party domain use the same circuit, but two tabs with different first-party domains use different circuits.

This functionality is implemented in torbutton, here:
https://gitweb.torproject.org/torbutton.git/tree/src/components/domain-isolator.js
but of course it could be refactored as a patch in the gecko codebase.

Briefly, by default, the Tor process has the IsolateSOCKSAuth option enabled, which means "Don’t share circuits with streams for which different SOCKS authentication was provided." So domain-isolator.js assigns a new username/password combination for each new first-party domain. In our current implementation, the username is set to the first-party domain, and the password is set to a nonce, which allows us to force a new circuit for the same first-party domain as needed. A new nonce is created whenever the user chooses the option "New Tor Circuit for this Site".

The implementation works as follows: to assign SOCKS username/passwords, domain-isolator.js uses a "proxy filter" to intercept nascent http channels. The first party domain is obtained by:
 `firstPartyDomain = channel.loadInfo.originAttributes.firstPartyDomain;`
and then a new proxyInfo object is created, same as the channel's original one but with SOCKS username and password added.

SOCKS username and passwords are displayed in "circuit status" responses in Tor's control port protocol. So that's a good way to confirm that circuits are being correctly assigned a first-party domain. (Tor's circuit display makes use of the control port this way: https://gitweb.torproject.org/torbutton.git/tree/src/chrome/content/tor-circuit-display.js)
Flags: needinfo?(arthuredelstein)
Re-triaging per https://bugzilla.mozilla.org/show_bug.cgi?id=1473195

Needinfo :susheel if you think this bug should be re-triaged.
Priority: P3 → P5
You need to log in before you can comment on or make changes to this bug.