Specify HTTP CONNECT implementation and extensions

We'd like to implement and recommend HTTP CONNECT as a preferred proxy mechanism in arti. Before we do so, we should document Tor's behavior in this regard as we do for SOCKS in https://spec.torproject.org/socks-extensions.html.

After we

have the status quo documented (!392 (merged))

We can clean up its warts, including:

Ad-hoc response codes
Lack of onion-service informational extensions
Lack of RFC conformance (if any)

Then we extend it as needed:

to support Arti's RPC
to give a supported method for providing structured isolation information (like first-party isolation)
to set other per-connection flags, possibly
to make sure that there's no way for a hostile website to make the browser probe the HTTP CONNECT port.
to consider a polyglot proxy port that accepts both SOCKS and HTTP CONNECT (if this can be done safely)

Edited May 22, 2025 by Nick Mathewson

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information