Since 8.0.2 Firefox configured for general Proxy use call's out directly/bypasses proxy to e.g. push.services.mozilla.com

mozilla / multi-account-containers

Firefox Multi-Account Containers lets you keep parts of your online life separated into color-coded tabs that preserve your privacy. Cookies are separated by container, allowing you to use the web with multiple identities or accounts simultaneously.

https://addons.mozilla.org/firefox/addon/multi-account-containers/

Mozilla Public License 2.0

2.74k stars 342 forks source link

Since 8.0.2 Firefox configured for general Proxy use call's out directly/bypasses proxy to e.g. push.services.mozilla.com #2216

Closed RonnyTNL closed 2 years ago

RonnyTNL commented 2 years ago

Since latest update 8.0.2 Firefox which is configured to use a local proxy call's out directly to push.services.mozilla.com When I disable the Multi-Account-Container the issue disappears, when enabled again the issue returns.

Multi-Account Containers Version: 8.0.2
Operating System + Version: Win10x64
Firefox Version: 94.0.2 x64
Other installed Add-ons + Version + Enabled/Disabled-Status: Not relevant to the issue

Actual behavior

Firefox tries to bypass the configured local proxy settings

Expected behavior

Firefox should honor the 'default proxy' settings, unless multi-container specifies a different proxy (no page is loaded when behavior occurs).

Steps to reproduce

Configure FF to use a local proxy.
Configure FF to not open any page on startup.
Start FF and monitor network traffic you will see that traffic now bypasses the general set proxy
Disable Multi-Container, issue gone
Enable Mutli-Container, issue reappears

Notes

RonnyTNL commented 2 years ago

Additional domains trying to connect are at least:

contile.services.mozilla.com firefox.settings.services.mozilla.com content-signature-2.cdn.mozilla.net push.services.mozilla.com

So it looks like all 'startup calls' are bypassing the proxy setting.

RonnyTNL commented 2 years ago

Just reproduced on an other machine, same specs.

CrossRoast commented 2 years ago

Perhaps it's possible to provide an option to proxy "all other" connections that don't fall into any of the containers? Such as the ones listed above or the browsing that happens via normal tabs outside of containers.

bakulf commented 2 years ago

Thanks for filing this issue. Maybe, multi-account-containers should not touch the proxy settings if there is an existing proxy configuration. We will work on this in the next release.

bakulf commented 2 years ago

Fixed in 8.0.3. This build is about to be released.

RonnyTNL commented 2 years ago

Sorry to bump this but when is 8.0.3 going to be released, corporate users behind firewalls that enforce proxy are severely limited by this as e.g. CRL and OCSP lookups fail, which causes security concerns and delay-load times.

RonnyTNL commented 2 years ago

Problem is NOT solved with 8.0.3 Repro on two machines:

Setup a strict proxy, and preferably a software firewall that will alert for connections outside the proxy.

Open firefox on a blank page. Navigate to "Tools" -> Addons and Themes and you'll notice a direct connection to load the installed extension images/icons.

Corresponding DNS request == addons.mozilla.org Also CRL/OCSP lookup seems affected (at least) == oscp.digicert.com

Setting Multi-Account containers to disabled removes this behavior.