Stop Breaking Proxy Functionality!

By codonaft February 17, 2026
I've never trusted proxy functionality in various apps. There's something to learn from how Chromium-based browsers silently screwed it at some point, for example.
Stop Breaking Proxy Functionality!

Internet censorship seems to be everywhere to some degree today.

Switching between VPNs becomes mainstream. As a result, solving excessive amounts of CAPTCHA nonsense because some service detected a “suspicious” IP also became normal. And receiving sudden bans for whatever innocent action made from an unusual IP is not that unusual anymore.

I was looking for a simple way to route some of the traffic to various proxies due to all this, based on hostname. I find it funny how poorly it’s implemented, for instance, in Chromium-based browsers.

PAC

There’s a thing called Proxy Auto Configuration files. Somebody not very technical, if lucky enough, would do a test like this, based on LLM outputs:

function FindProxyForURL(url, host) {
  return 'HTTP 127.0.0.1:12345';
}

And then pass the file with --proxy-pac-url=file:///path/to/proxy.pac.

What’s wrong? It silently uses direct traffic for multiple reasons:

  • HTTP keyword actually means nothing; PROXY should be used instead
    • SOCKS5 and PROXY are valid, but HTTP is not; very “logical”!
  • file:// PAC URIs became outdated at some point
    • and it seems to me the intention was to make people publish their PAC files on http(s) instead, accessible with a direct connection; those who didn’t do that simply leaked their real IPs.

This will happen again

Some base64-perversion is currently supported instead of http(s) links to PAC files. I wonder for how long.

I believe that whatever I configured will silently switch to direct traffic on some browser update again. SOCKS5 will be renamed to SOCKS5H or this functionality will be removed entirely while the argument will still be there for compatibility or whatever.

App devs, test this properly!

Please don’t make proxy functionality like this crap in your apps. If something is not right, your app is supposed to just stop transmitting data and scream with an explanation of what’s wrong.

If you believe it should suddenly and silently send your data directly instead—imagine a journalist visiting/living in an authoritarian country and unwillingly connecting to a nostr relay hosted in some so-called “enemy” country. And then goes to jail, in an extreme case. Or worse. Just because your software has updated to something “clever”.

And don’t rely too much on your project dependencies when it comes to privacy! If you have a subsystem that supports proxy connections and you don’t control it very much, write a test that verifies that not just your app still works with the configured proxy, but the fact that the data is still transmitted from the expected IP.

This might literally save somebody’s life today.

#privacy #proxy #chromium
No comments yet.