Skip to content

Traffic that leaks outside of Tor due to iOS limitations

Mike Tigas edited this page Jun 18, 2019 · 4 revisions

Due to limitations in UIWebView* and iOS, some types of network traffic are handled outside of the scope of the UIWebView (which Onion Browser configures for Tor) or even outside the scope of the app.

(*Note: we cannot use WKWebView as the method currently used to route traffic over Tor is not supported in the newer framework.)

  1. Media files, such as <audio> and <video> tags or direct HTTP(S) requests to media files that iOS can play natively. When playing the media, the request for the file is made over the clear web, and not via Tor.
  2. WebRTC is also not routed over Tor.
  3. OCSP certificate verification. OCSP verification is only triggered when visiting an EV "green bar" HTTPS site and is handled by iOS itself. See full description here.


(1) and (2) can be disabled by setting "Strict" mode (in Host Settings), which disables JavaScript and embedded media. If you are connected to a VPN, the leaked clearnet requests will go over your VPN. Other Onion Browser traffic which does not leak will still route over Tor.

There is no currently-known way to bypass (3).

This is not a comprehensive list; this is the current knowledge of the community and more HTML5 or iOS features may cause similar behavior. Enabling "Strict" mode, as noted above, disables JavaScript should provide adequate protection against JavaScript-based vectors not listed here.