1. context creating options: "isolated_storage", "tor_proxy"
2. setTorNewIdentity API
3. automatically launch tor when tor browser context created and tear it
down when tor browser context destroyed

fix #468
fix #464
fix #509

construciton.

There will be a utility process responsible for launching tor and
monitor it by mojo tor launcher service

When browser process receives notification, it will relaunch tor process

Also set read pipe socket to blocking mode

…ontext

fix brave/browser-laptop#14021

Auditors: @bridiver, @jumde

…rocess

This is necessary because there is an unfortunate ordering issue with
tor startup: it writes the control port first, and then the auth
cookie, but we need both in order to connect to the control port.
And it doesn't delete the auth cookie, so it can get stale.  Hence we
need to monitor writes to the auth cookie too.

fix brave/browser-laptop#14390

Auditors: @bridiver, @riastradh-brave

This is necessary because we use `persist:tor' since for hysterical
raisins there's only one normal `private' partition with in_memory_ =
true.  We use the virtual method IsOffTheRecord() to discriminate
instead.

Fixes #608.
Fixes brave/browser-laptop#14392.

Auditors: @darkdh

and launch new one with same arguments

Auditors: @riastradh-brave, @diracdeltas

…ion.getTorPid()

NOTE:
Use setTorLauncherCallback right after Session.fromPartition for tor browser context
if you want to get pid after launch

Auditors: @riastradh-brave, @diracdeltas

because we don't want to spend extra cycles to keep track of expired
keys

fix #611

Auditors: @riastradh-brave

Don't just expire any old entries for the site we're browsing -- that
may leave lots of other ones around in memory.

The timer is scheduled to run ten minutes after the last circuit that
was created.  This way, the last ten minutes of circuits are not
guaranteed to stick around in memory indefinitely.

Caveat: This doesn't _zero_ the memory, so it may still appear in
`strings /proc/N/mem`.  But it does make the memory available to be
recycled, so it's not _guaranteed_ to still appear in `strings
/proc/N/mem`.

Also, timestamp the map entries.  If we explicitly create a new map
entry for a site by requesting a new identity, the old expiry queue
entry will not delete it, but a new expiry queue entry will delete
it.  This way, circuits created by requesting a new identity are not
shorter-lived than other circuits.

We leave the old entries in the priority queue because there's no
convenient way to delete them with std::priority_queue.  In
principle, this might leak space if you repeatedly request a new
identity, but it can only leak as much space as you use by repeatedly
requesting a new identity for a maximum of ten minutes.

fix #611 real good this time

Auditors: @darkdh

Test Plan:
1. Search DDG for `what is my ip address'.
2. Record the IP address it reports.
3. Reload.
4. Confirm it's the same IP address.
5. Full-reload.
6. Confirm it's a different IP address.  Record the new IP address.
7. Wait >10min.
8. Reload.
9. Confirm it's a different IP address again.

Auditor: @bridiver

…lity process

fix brave/browser-laptop#14636

SuicideOnChannelErrorFilter calls exit in OnChannelError() this will
cause other endpoints listener can't finish their cleanup when pipe error
happens(browser process crashed or be killed) and
SuicideOnChannelErrorFilter::OnChannelError happens to be called before others.
This should be fine for most of the cases but not tor_launcher service.
`TorLauncher` requires StrongBinding::OnConnectionError to delete itself
so that `~TorLauncher` will get called and terminate tor process.

This should only happens on MacOS, SuicideOnChannelErrorFilter is
guarded by OS_POSIX and Linux has `prctl(PR_SET_PDEATHSIG, SIGKILL)`
so tor process will receive SIGKILL when tor_launcher utility process terminates
prematurely

Auditors: @riastradh-brave, @bridiver, @bbondy

…er_suppressed(noopener) specified

because WebContentsImpl::CreateNewWindow will use target_url as new site instance

The problem was cloning original site instance cause the inconsistency
between original partition and target partition because tor browser
context enforce isolation storage so every different site has its own storage partition

fix brave/browser-laptop#14392

Test Plan:
1. Open tor tab
2. Visit site contains rel="noopener" href (https://jsfiddle.net/dqokhmsg/)
3. Click the link
4. Brave shouldn't crash

Auditors: @bridiver, @bbondy

Prevent `SuicideOnChannelErrorFilter` to be added to tor_launcher utility process

Use new site instance for SessionStorageNamespaceImpl clone when opener_suppressed(noopener) specified