Tor browser does not ignore alt-svc even when already connected through an alt-svc onion
Arma suggested that I write this ticket after I talked to him about it on IRC.
When connecting to a web service that sends an alt-svc header with an onion domain, Tor browser does not ignore them even after it is already connected through one. This means that services like Cloudflare, which send a random onion in each alt-svc header, cause a large number of new onion circuits being built each time a request is made. This can severely degrade performance to the point that setting network.http.altsvc.enabled to false increases the performance of interactive websites and reloading websites by more than 5 times.
I tested this using https://www.iplocation.net/, but it works on most sites behind Cloudflare. When network.http.altsvc.enabled was set to true, reloading the page (without selecting new circuit) caused my browser to connect to it through a new onion each time (and each GET request to a resource sent a different onion over the alt-svc header). When reloading it three times, GET / finished in 4.82s, 5.14s, and 2.60s. The slowest loading resource (all small resources) loaded in 33.29s, 7.52s, and 10.28s, respectively. When I set network.http.altsvc.enabled to false, the loading times were 0.800s, 0.757s, 0.497s. I tested this on two computers on two different networks and got similar results.
There are two solutions, besides simply disabling alt-svc, that I can think of:
-
Ask Cloudflare to stop sending more alt-svc headers when the client is already connected through the onion
-
Ignore new alt-svc onions on the Tor browser side once we are already connected through one
I have confirmed through the Tor control port that this is the case and that it is not just a UI bug.
