45 seconds ago I just learned about the environment variable MOZ_DISABLE_NONLOCAL_CONNECTIONS that we use in our testing environment. It feeds through to one real location in the browser: nsSocketTransport2 https://searchfox.org/mozilla-central/rev/8976abf9cab8eb4661665cc86bd355cd08...
This isn't a sandbox. If an attacker has code execution (parent or content process) they can make network connections manually from system libraries and will never touch this code. But it might be a way to add (some) assurance about browser features accidentally bypassing the proxy.
So I'm wondering if this is something Tor Browser can set for defense in depth. In fact, it's already in esr52: https://dxr.mozilla.org/mozilla-esr52/search?q=AreNonLocalConnectionsDisable... I tried to get Tor Browser to unset the proxy but couldn't seem to get it to work; is there a patch that prevents this?
It would be interesting to remove the patches tagged 'tbb-proxy-bypass' (on https://torpat.ch/uplift) and see if this prevented (some) of those.
-tom