Move the sysproxy package back into zen-desktop

Taskfile.yml

@@ -49,3 +49,9 @@ tasks:
     desc: Run go fmt on improperly formatted Go files.
     cmds:
       - golangci-lint fmt
+
+  pull-exclusions:
+    desc: Pull the updates from the zen-https-exclusions repository.
+    cmds:
+      - git subtree pull --prefix=internal/sysproxy/exclusions https://github.com/ZenPrivacy/zen-https-exclusions master --squash
+

go.mod

@@ -8,6 +8,7 @@ go 1.25.3
 require (
 	github.com/ZenPrivacy/zen-core v1.0.6
 	github.com/blang/semver v3.5.1+incompatible
+	github.com/hashicorp/go-multierror v1.1.1
 	github.com/wailsapp/wails/v2 v2.10.2
 	golang.org/x/sys v0.38.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
@@ -33,7 +34,6 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
-	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hectane/go-acl v0.0.0-20230122075934-ca0b05cb1adb // indirect
 	github.com/jchv/go-winloader v0.0.0-20210711035445-715c2860da7e // indirect
 	github.com/klauspost/compress v1.18.0 // indirect

internal/app/app.go

@@ -24,11 +24,11 @@ import (
 	"github.com/ZenPrivacy/zen-core/networkrules"
 	"github.com/ZenPrivacy/zen-core/proxy"
 	"github.com/ZenPrivacy/zen-core/scriptlet"
-	"github.com/ZenPrivacy/zen-core/sysproxy"
 	"github.com/ZenPrivacy/zen-desktop/internal/cfg"
 	"github.com/ZenPrivacy/zen-desktop/internal/constants"
 	"github.com/ZenPrivacy/zen-desktop/internal/logger"
 	"github.com/ZenPrivacy/zen-desktop/internal/selfupdate"
+	"github.com/ZenPrivacy/zen-desktop/internal/sysproxy"
 	"github.com/ZenPrivacy/zen-desktop/internal/systray"
 	"github.com/wailsapp/wails/v2/pkg/options"
 	"github.com/wailsapp/wails/v2/pkg/runtime"

internal/sysproxy/exclusions/.gitignore

@@ -0,0 +1 @@
+.DS_Store

internal/sysproxy/exclusions/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Zen Privacy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

internal/sysproxy/exclusions/common.txt

@@ -0,0 +1,123 @@
+# This file contains hostnames that Zen will not MITM on all platforms.
+
+# Sensitive
+proton.me
+
+# Login
+auth.openai.com
+accounts.google.com
+login.coinbase.com
+appleid.apple.com
+account.apple.com
+accounts.binance.com
+connexion-mabanque.bnpparibas
+
+# Government websites
+gouv.fr
+egov.kz
+gov.kz
+gov.uk
+gov.ua
+usa.gov
+state.gov
+whitehouse.gov
+gov.ph
+gov.au
+e-estonia.com
+eesti.ee
+
+# Password managers
+1password.com
+lastpass.com
+passwords.google.com
+passwords.google
+bitwarden.com
+dashlane.com
+
+# Banks & financial institutions
+mabanque.bnpparibas
+credit-agricole.fr
+creditmutuel.fr
+sg.fr
+bankofamerica.com
+chase.com
+wellsfargo.com
+citibank.com
+usbank.com
+capitalone.com
+pnc.com
+revolut.com
+monzo.com
+kaspi.kz
+halykbank.kz
+bcc.kz
+bankffin.kz
+jusan.kz
+onlinebank.kz
+freedompay.kz
+wlp-acs.com
+
+# Payment processors
+paypal.com
+stripe.com
+m.stripe.network
+square.com
+venmo.com
+sis.redsys.es
+payu.com
+pay.amazon.com
+klarna.com
+
+# Messengers
+whatsapp.net
+whatsapp.com
+telegram.org
+signal.org
+discord.com
+slack.com
+messenger.com
+
+# Digital infrastructure
+cloudflare.com
+aws.amazon.com
+azure.microsoft.com
+cloud.google.com
+hetzner.com
+digitalocean.com
+linode.com
+vultr.com
+heroku.com
+netlify.com
+vercel.com
+fastly.com
+akamai.com
+ps.kz
+github.com
+gitlab.com
+bitbucket.org
+docker.com
+kubernetes.io
+npmjs.com
+pypi.org
+crates.io
+rubygems.org
+signpath.io
+developer.apple.com
+auth0.com
+hanko.io
+clerk.com
+workos.com
+zitadel.com
+stytch.com
+bunny.net
+
+# OpenAI from here: https://help.openai.com/en/articles/9247338-network-recommendations-for-chatgpt-errors-on-web-and-apps
+ios.chat.openai.com
+ab.chatgpt.com
+oaiusercontent.com
+
+# Issues
+# https://github.com/ZenPrivacy/zen-desktop/pull/223
+account.booking.com
+# https://github.com/ZenPrivacy/zen-desktop/issues/407
+updates.ghub.logitechg.com

internal/sysproxy/exclusions/darwin.txt

@@ -0,0 +1,188 @@
+# This file contains macOS-specific hostnames that Zen will not MITM.
+
+# The following hostnames are sourced from https://support.apple.com/en-gb/HT210060.
+# Only relevant hostnames used by macOS over :80 and :443 are included.
+# The article includes a "Recent changes" section that should be checked periodically for updates.
+# <apple-services>
+# Device setup
+albert.apple.com
+captive.apple.com
+gs.apple.com
+humb.apple.com
+static.ips.apple.com
+sq-device.apple.com
+tbsc.apple.com
+
+# Device management
+push.apple.com
+deviceenrollment.apple.com
+deviceservices-external.apple.com
+gdmf.apple.com
+identity.apple.com
+iprofiles.apple.com
+mdmenrollment.apple.com
+vpp.itunes.apple.com
+appattest.apple.com
+axm-servicediscovery.apple.com
+
+# Apple Business Manager and Apple School Manager
+business.apple.com
+school.apple.com
+appleid.cdn-apple.com
+idmsa.apple.com
+itunes.apple.com
+mzstatic.com
+api.ent.apple.com
+api.edu.apple.com
+statici.icloud.com
+vertexsmb.com
+www.apple.com
+ws-ee-maidsvc.icloud.com
+
+# Apple Business Essentials device management
+axm-adm-enroll.apple.com
+axm-adm-mdm.apple.com
+axm-adm-scep.apple.com
+axm-app.apple.com
+icons.axm-usercontent-apple.com
+
+# Classroom and Schoolwork
+s.mzstatic.com
+play.itunes.apple.com
+ws-ee-maidsvc.icloud.com
+ws.school.apple.com
+
+# Software updates
+appldnld.apple.com
+configuration.apple.com
+gdmf.apple.com
+gg.apple.com
+gs.apple.com
+ig.apple.com
+mesu.apple.com
+oscdn.apple.com
+osrecovery.apple.com
+skl.apple.com
+swcdn.apple.com
+swdist.apple.com
+swdownload.apple.com
+swscan.apple.com
+updates-http.cdn-apple.com
+updates.cdn-apple.com
+xp.apple.com
+gdmf-ados.apple.com
+gsra.apple.com
+wkms-public.apple.com
+fcs-keys-pub-prod.cdn-apple.com
+
+# Apps and additional content
+itunes.apple.com
+apps.apple.com
+mzstatic.com
+itunes.apple.com
+ppq.apple.com
+api.apple-cloudkit.com
+appattest.apple.com
+token.safebrowsing.apple
+audiocontentdownload.apple.com
+devimages-cdn.apple.com
+download.developer.apple.com
+playgrounds-assets-cdn.apple.com
+playgrounds-cdn.apple.com
+sylvan.apple.com
+gateway.icloud.com
+
+# Content caching
+lcdn-registration.apple.com
+suconfig.apple.com
+xp-cdn.apple.com
+lcdn-locator.apple.com
+serverstatus.apple.com
+
+# Beta updates
+bpapi.apple.com
+cssubmissions.apple.com
+fba.apple.com
+
+# Apple diagnostics
+diagassets.apple.com
+
+# Domain Name System resolution
+doh.dns.apple.com
+
+# Certificate validation
+certs.apple.com
+crl.apple.com
+crl3.digicert.com
+crl4.digicert.com
+ocsp.apple.com
+ocsp.digicert.cn
+ocsp.digicert.com
+ocsp2.apple.com
+valid.apple.com
+
+# Apple Account
+account.apple.com
+appleid.cdn-apple.com
+idmsa.apple.com
+gsa.apple.com
+
+# iCloud
+apple-cloudkit.com
+apple-livephotoskit.com
+apzones.com
+cdn-apple.com
+gc.apple.com
+icloud.com
+icloud.com.cn
+icloud.apple.com
+icloud-content.com
+iwork.apple.com
+mask.icloud.com
+mask-h2.icloud.com
+mask-api.icloud.com
+
+# Apple Intelligence, Siri and Search
+guzzoni.apple.com
+smoot.apple.com
+apple-relay.cloudflare.com
+apple-relay.fastly-edge.com
+cp4.cloudflare.com
+apple-relay.apple.com
+
+# Associated domains
+app-site-association.cdn-apple.com
+app-site-association.networking.apple
+
+# Apple Pay, and likely other services (not present in the support article, found via manual debugging)
+pr-pod1-smp-device.apple.com
+pr-pod2-smp-device.apple.com
+pr-pod3-smp-device.apple.com
+pr-pod4-smp-device.apple.com
+pr-pod5-smp-device.apple.com
+pr-pod6-smp-device.apple.com
+pr-pod7-smp-device.apple.com
+pr-pod8-smp-device.apple.com
+pr-pod9-smp-device.apple.com
+pr-pod10-smp-device.apple.com
+pr-pod11-smp-device.apple.com
+pr-pod12-smp-device.apple.com
+pr-pod13-smp-device.apple.com
+pr-pod14-smp-device.apple.com
+pr-pod15-smp-device.apple.com
+smp-paymentservices.apple.com
+cn-smp-paymentservices.apple.com
+# </apple-services>
+
+# <misc>
+# Opera GX installer (probably SSL pinning)
+api.config.opr.gg
+autoupdate.opera.com
+download.opera.com
+operacdn.com
+
+# Apple Music app
+amp-api.music.apple.com
+amp-api-edge.music.apple.com
+# </misc>
+