Yawning Angel:
[snip]
My question is, what causes Tor Browser to set the SOCKS username to "--unknown--" and what the behavior should be in that case if:
Ideally, "--unknown--" would only be used for requests originating from privileged browser code and not belonging to a website/resource a user requested. This would encompass things like extensions update requests, browser update requests, blocklist checks, requests issued by installed extensions to name just a few. In reality, however, we are not there yet (see e.g. #13670, #15599, #15555, #15569 + plus there is at least one bug I have not filed yet).
- The destination is a ".onion" address.
#15499 should give you an idea (although I am not sure whether that ticket is still valid)
- The destination is a ".i2p" address.
I don't know. Maybe we/you should coordinate that with the I2P folks?
The destination is the I2P management console.
I'm fairly sure this should be "deny".
Sounds good.
- The destination is any other address (will be dispatched over Tor if running, I don't think I will attempt to support I2P outproxies because they suck). (I think allow because things break otherwise?)
I am not sure, honestly. What do you have in mind?
[snip]
The final form of my shim will support running with any combination of "nothing" (Tor Browser just for the "privacy benefits", probably unsafe, I may reconsider this), I2P, and Tor (Though the most useful configuration is probably I2P + Tor).
Sounds useful, indeed. But I think we should make clear to users that this will not be a proper Tor Browser replacement as you need knowledge of the browser state to make correct assumptions on whether to put requests into the "--unknown--" bucket or not. And I currently don't see how your shim is able to accomplish that.
Georg