On Sun, Mar 26, 2017 at 03:06:00PM -0400, Jesse V wrote:

In other words, if I disable this flag and I open 127.0.0.1:8080 in the Tor Browser, will the browser or the tor binary attempt to connect to the client's 127.0.0.1:8080?

No, Tor Browser will pass the request to Tor, and Tor will try to connect to that address via Tor to somebody's 127.0.0.1. And since most relays will have an exit policy that doesn't allow exiting to that address, there's a good chance there won't be any exits that are up for such a request.

It definitely should not decide to bypass the proxy, and it also shouldn't have your Tor client turn into a local mini exit relay for you.

This is essentially what I'm after, and I just want to confirm that ClientRejectInternalAddresses is the best approach, or if there is a better setting. Just to clarify, I want to connect the client's localhost and not an exit's.

Yeah, we try hard to make that behavior not happen.

In the Tor Browser network settings (Edit -> Preferences -> Advanced -> Network -> Settings), you'll see the "No Proxy For" box, which in my normal Firefox has 127.0.0.1 filled in. But Tor Browser makes sure to keep that box empty, so there's no accidental proxy bypass.

For more info see the "Proxy Obedience" section in the security requirements: https://www.torproject.org/projects/torbrowser/design/#security

--Roger