Expose CONNECT headers to ProxyDelegate

This brings back (slightly refreshed versions of) the
OnBeforeTunnelRequest(), OnTunnelHeadersReceived() hooks that were
removed in
https://chromium-review.googlesource.com/c/chromium/src/+/846261/.

These hooks are not used by the Data Reduction Proxy, because it
doesn't proxy https:// URLs.  They are restored for the benefit of those
downstream embedders (Opera) that use CONNECT tunnels to proxy HTTPS
requests.

Bug: 915659
Change-Id: Id0e120882a22a66c72802087a1775daeef661984
TBR: rockot@google.com
Reviewed-on: https://chromium-review.googlesource.com/c/1379766
Commit-Queue: Wojciech Dzier┼╝anowski <wdzierzanowski@opera.com>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Tarun Bansal <tbansal@chromium.org>
Reviewed-by: mark a. foltz <mfoltz@chromium.org>
Reviewed-by: Eric Roman <eroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#624075}
diff --git a/chrome/browser/extensions/api/socket/tcp_socket_unittest.cc b/chrome/browser/extensions/api/socket/tcp_socket_unittest.cc
index ab214b9..e20bfa4 100644
--- a/chrome/browser/extensions/api/socket/tcp_socket_unittest.cc
+++ b/chrome/browser/extensions/api/socket/tcp_socket_unittest.cc
@@ -522,10 +522,12 @@
       std::unique_ptr<net::ClientSocketHandle> transport_socket,
       const std::string& user_agent,
       const net::HostPortPair& endpoint,
+      const net::ProxyServer& proxy_server,
       net::HttpAuthController* http_auth_controller,
       bool tunnel,
       bool using_spdy,
       net::NextProto negotiated_protocol,
+      net::ProxyDelegate* proxy_delegate,
       bool is_https_proxy,
       const net::NetworkTrafficAnnotationTag& traffic_annotation) override {
     NOTIMPLEMENTED();
diff --git a/components/cast_channel/cast_socket_unittest.cc b/components/cast_channel/cast_socket_unittest.cc
index 0132597..6e6fc7a 100644
--- a/components/cast_channel/cast_socket_unittest.cc
+++ b/components/cast_channel/cast_socket_unittest.cc
@@ -340,10 +340,12 @@
       std::unique_ptr<net::ClientSocketHandle> transport_socket,
       const std::string& user_agent,
       const net::HostPortPair& endpoint,
+      const net::ProxyServer& proxy_server,
       net::HttpAuthController* http_auth_controller,
       bool tunnel,
       bool using_spdy,
       net::NextProto negotiated_protocol,
+      net::ProxyDelegate* proxy_delegate,
       bool is_https_proxy,
       const net::NetworkTrafficAnnotationTag& traffic_annotation) override {
     NOTIMPLEMENTED();
diff --git a/components/data_reduction_proxy/core/browser/data_reduction_proxy_delegate.cc b/components/data_reduction_proxy/core/browser/data_reduction_proxy_delegate.cc
index 761aabf0..5e799f1 100644
--- a/components/data_reduction_proxy/core/browser/data_reduction_proxy_delegate.cc
+++ b/components/data_reduction_proxy/core/browser/data_reduction_proxy_delegate.cc
@@ -153,6 +153,12 @@
     bypass_stats_->OnProxyFallback(bad_proxy, net_error);
 }
 
+net::Error DataReductionProxyDelegate::OnTunnelHeadersReceived(
+    const net::ProxyServer& proxy_server,
+    const net::HttpResponseHeaders& response_headers) {
+  return net::OK;
+}
+
 void DataReductionProxyDelegate::GetAlternativeProxy(
     const GURL& url,
     const net::ProxyRetryInfoMap& proxy_retry_info,
diff --git a/components/data_reduction_proxy/core/browser/data_reduction_proxy_delegate.h b/components/data_reduction_proxy/core/browser/data_reduction_proxy_delegate.h
index fae9be5..d759678a 100644
--- a/components/data_reduction_proxy/core/browser/data_reduction_proxy_delegate.h
+++ b/components/data_reduction_proxy/core/browser/data_reduction_proxy_delegate.h
@@ -44,6 +44,11 @@
                       const net::ProxyRetryInfoMap& proxy_retry_info,
                       net::ProxyInfo* result) override;
   void OnFallback(const net::ProxyServer& bad_proxy, int net_error) override;
+  void OnBeforeTunnelRequest(const net::ProxyServer& proxy_server,
+                             net::HttpRequestHeaders* extra_headers) override {}
+  net::Error OnTunnelHeadersReceived(
+      const net::ProxyServer& proxy_server,
+      const net::HttpResponseHeaders& response_headers) override;
 
  protected:
   // Protected so that it can be overridden during testing.
diff --git a/net/base/proxy_delegate.h b/net/base/proxy_delegate.h
index 7a8c419..6731e64a 100644
--- a/net/base/proxy_delegate.h
+++ b/net/base/proxy_delegate.h
@@ -8,6 +8,7 @@
 #include <string>
 
 #include "base/macros.h"
+#include "net/base/net_errors.h"
 #include "net/base/net_export.h"
 #include "net/proxy_resolution/proxy_retry_info.h"
 
@@ -15,6 +16,8 @@
 
 namespace net {
 
+class HttpRequestHeaders;
+class HttpResponseHeaders;
 class ProxyInfo;
 class ProxyServer;
 
@@ -44,6 +47,20 @@
   virtual void OnFallback(const ProxyServer& bad_proxy,
                           int net_error) = 0;
 
+  // Called immediately before a proxy tunnel request is sent.
+  // Provides the embedder an opportunity to add extra request headers.
+  virtual void OnBeforeTunnelRequest(const ProxyServer& proxy_server,
+                                     HttpRequestHeaders* extra_headers) = 0;
+
+  // Called when the response headers for the proxy tunnel request have been
+  // received. Allows the delegate to override the net error code of the tunnel
+  // request. Returning OK causes the standard tunnel response handling to be
+  // performed. Implementations should make sure they can trust |proxy_server|
+  // before making decisions based on |response_headers|.
+  virtual Error OnTunnelHeadersReceived(
+      const ProxyServer& proxy_server,
+      const HttpResponseHeaders& response_headers) = 0;
+
  private:
   DISALLOW_COPY_AND_ASSIGN(ProxyDelegate);
 };
diff --git a/net/base/test_proxy_delegate.cc b/net/base/test_proxy_delegate.cc
index 5ac1dbea..407e11f 100644
--- a/net/base/test_proxy_delegate.cc
+++ b/net/base/test_proxy_delegate.cc
@@ -4,6 +4,9 @@
 
 #include "net/base/test_proxy_delegate.h"
 
+#include "net/base/net_errors.h"
+#include "net/http/http_request_headers.h"
+#include "net/http/http_response_headers.h"
 #include "net/proxy_resolution/proxy_info.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -14,6 +17,16 @@
 
 TestProxyDelegate::~TestProxyDelegate() = default;
 
+void TestProxyDelegate::VerifyOnTunnelHeadersReceived(
+    const ProxyServer& proxy_server,
+    const std::string& response_header_name,
+    const std::string& response_header_value) const {
+  EXPECT_EQ(proxy_server, on_tunnel_headers_received_proxy_server_);
+  ASSERT_NE(on_tunnel_headers_received_headers_.get(), nullptr);
+  EXPECT_TRUE(on_tunnel_headers_received_headers_->HasHeaderValue(
+      response_header_name, response_header_value));
+}
+
 void TestProxyDelegate::OnResolveProxy(
     const GURL& url,
     const std::string& method,
@@ -48,4 +61,23 @@
 void TestProxyDelegate::OnFallback(const ProxyServer& bad_proxy,
                                    int net_error) {}
 
+void TestProxyDelegate::OnBeforeTunnelRequest(
+    const ProxyServer& proxy_server,
+    HttpRequestHeaders* extra_headers) {
+  on_before_tunnel_request_called_ = true;
+  if (extra_headers)
+    extra_headers->SetHeader("Foo", proxy_server.ToURI());
+}
+
+Error TestProxyDelegate::OnTunnelHeadersReceived(
+    const ProxyServer& proxy_server,
+    const HttpResponseHeaders& response_headers) {
+  EXPECT_EQ(on_tunnel_headers_received_headers_.get(), nullptr);
+  on_tunnel_headers_received_headers_ =
+      base::MakeRefCounted<HttpResponseHeaders>(response_headers.raw_headers());
+
+  on_tunnel_headers_received_proxy_server_ = proxy_server;
+  return OK;
+}
+
 }  // namespace net
diff --git a/net/base/test_proxy_delegate.h b/net/base/test_proxy_delegate.h
index fae7feb..e966994 100644
--- a/net/base/test_proxy_delegate.h
+++ b/net/base/test_proxy_delegate.h
@@ -7,6 +7,7 @@
 
 #include <string>
 
+#include "base/memory/ref_counted.h"
 #include "net/base/proxy_delegate.h"
 #include "net/base/proxy_server.h"
 
@@ -21,16 +22,30 @@
   TestProxyDelegate();
   ~TestProxyDelegate() override;
 
+  bool on_before_tunnel_request_called() const {
+    return on_before_tunnel_request_called_;
+  }
+
   void set_trusted_spdy_proxy(const ProxyServer& proxy_server) {
     trusted_spdy_proxy_ = proxy_server;
   }
 
+  void VerifyOnTunnelHeadersReceived(
+      const ProxyServer& proxy_server,
+      const std::string& response_header_name,
+      const std::string& response_header_value) const;
+
   // ProxyDelegate implementation:
   void OnResolveProxy(const GURL& url,
                       const std::string& method,
                       const ProxyRetryInfoMap& proxy_retry_info,
                       ProxyInfo* result) override;
   void OnFallback(const ProxyServer& bad_proxy, int net_error) override;
+  void OnBeforeTunnelRequest(const ProxyServer& proxy_server,
+                             HttpRequestHeaders* extra_headers) override;
+  Error OnTunnelHeadersReceived(
+      const ProxyServer& proxy_server,
+      const HttpResponseHeaders& response_headers) override;
 
   void set_alternative_proxy_server(
       const ProxyServer& alternative_proxy_server) {
@@ -41,6 +56,9 @@
   }
 
  private:
+  bool on_before_tunnel_request_called_ = false;
+  ProxyServer on_tunnel_headers_received_proxy_server_;
+  scoped_refptr<HttpResponseHeaders> on_tunnel_headers_received_headers_;
   ProxyServer trusted_spdy_proxy_;
   ProxyServer alternative_proxy_server_;
 };
diff --git a/net/dns/address_sorter_posix_unittest.cc b/net/dns/address_sorter_posix_unittest.cc
index bdf2f0c..b16213c 100644
--- a/net/dns/address_sorter_posix_unittest.cc
+++ b/net/dns/address_sorter_posix_unittest.cc
@@ -170,10 +170,12 @@
       std::unique_ptr<ClientSocketHandle> transport_socket,
       const std::string& user_agent,
       const HostPortPair& endpoint,
+      const ProxyServer& proxy_server,
       HttpAuthController* http_auth_controller,
       bool tunnel,
       bool using_spdy,
       NextProto negotiated_protocol,
+      ProxyDelegate* proxy_delegate,
       bool is_https_proxy,
       const NetworkTrafficAnnotationTag& traffic_annotation) override {
     NOTIMPLEMENTED();
diff --git a/net/dns/dns_session_unittest.cc b/net/dns/dns_session_unittest.cc
index 1e75390..9c3e4646 100644
--- a/net/dns/dns_session_unittest.cc
+++ b/net/dns/dns_session_unittest.cc
@@ -57,10 +57,12 @@
       std::unique_ptr<ClientSocketHandle> transport_socket,
       const std::string& user_agent,
       const HostPortPair& endpoint,
+      const ProxyServer& proxy_server,
       HttpAuthController* http_auth_controller,
       bool tunnel,
       bool using_spdy,
       NextProto negotiated_protocol,
+      ProxyDelegate* proxy_delegate,
       bool is_https_proxy,
       const NetworkTrafficAnnotationTag& traffic_annotation) override {
     NOTIMPLEMENTED();
diff --git a/net/http/http_network_session.cc b/net/http/http_network_session.cc
index 8ca3e33..b71a6eb 100644
--- a/net/http/http_network_session.cc
+++ b/net/http/http_network_session.cc
@@ -59,7 +59,8 @@
       context.cert_verifier, context.channel_id_service,
       context.transport_security_state, context.cert_transparency_verifier,
       context.ct_policy_enforcer, ssl_session_cache_shard,
-      context.ssl_config_service, websocket_endpoint_lock_manager, pool_type);
+      context.ssl_config_service, websocket_endpoint_lock_manager,
+      context.proxy_delegate, pool_type);
 }
 
 }  // unnamed namespace
@@ -160,6 +161,7 @@
       cert_transparency_verifier(nullptr),
       ct_policy_enforcer(nullptr),
       proxy_resolution_service(nullptr),
+      proxy_delegate(nullptr),
       ssl_config_service(nullptr),
       http_auth_handler_factory(nullptr),
       net_log(nullptr),
diff --git a/net/http/http_network_session.h b/net/http/http_network_session.h
index 3fe77b2..6833a7b4 100644
--- a/net/http/http_network_session.h
+++ b/net/http/http_network_session.h
@@ -67,6 +67,7 @@
 class NetworkErrorLoggingService;
 #endif
 class NetworkQualityEstimator;
+class ProxyDelegate;
 class ProxyResolutionService;
 class ProxyServer;
 class QuicCryptoClientStreamFactory;
@@ -252,6 +253,7 @@
     CTVerifier* cert_transparency_verifier;
     CTPolicyEnforcer* ct_policy_enforcer;
     ProxyResolutionService* proxy_resolution_service;
+    ProxyDelegate* proxy_delegate;
     SSLConfigService* ssl_config_service;
     HttpAuthHandlerFactory* http_auth_handler_factory;
     HttpServerProperties* http_server_properties;
diff --git a/net/http/http_network_transaction_unittest.cc b/net/http/http_network_transaction_unittest.cc
index 1fc70b8..f0403a9 100644
--- a/net/http/http_network_transaction_unittest.cc
+++ b/net/http/http_network_transaction_unittest.cc
@@ -698,7 +698,7 @@
 CaptureGroupNameHttpProxySocketPool::CaptureGroupNameSocketPool(
     HostResolver* /* host_resolver */,
     CertVerifier* /* cert_verifier */)
-    : HttpProxyClientSocketPool(0, 0, NULL, NULL, NULL, NULL) {}
+    : HttpProxyClientSocketPool(0, 0, NULL, NULL, NULL, NULL, NULL) {}
 
 template <>
 CaptureGroupNameSSLSocketPool::CaptureGroupNameSocketPool(
diff --git a/net/http/http_proxy_client_socket.cc b/net/http/http_proxy_client_socket.cc
index e55a99d..12cfb3d 100644
--- a/net/http/http_proxy_client_socket.cc
+++ b/net/http/http_proxy_client_socket.cc
@@ -14,6 +14,7 @@
 #include "net/base/auth.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
+#include "net/base/proxy_delegate.h"
 #include "net/http/http_basic_stream.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_request_info.h"
@@ -33,10 +34,12 @@
     std::unique_ptr<ClientSocketHandle> transport_socket,
     const std::string& user_agent,
     const HostPortPair& endpoint,
+    const ProxyServer& proxy_server,
     HttpAuthController* http_auth_controller,
     bool tunnel,
     bool using_spdy,
     NextProto negotiated_protocol,
+    ProxyDelegate* proxy_delegate,
     bool is_https_proxy,
     const NetworkTrafficAnnotationTag& traffic_annotation)
     : io_callback_(base::BindRepeating(&HttpProxyClientSocket::OnIOComplete,
@@ -50,6 +53,8 @@
       negotiated_protocol_(negotiated_protocol),
       is_https_proxy_(is_https_proxy),
       redirect_has_load_timing_info_(false),
+      proxy_server_(proxy_server),
+      proxy_delegate_(proxy_delegate),
       traffic_annotation_(traffic_annotation),
       net_log_(transport_->socket()->NetLog()) {
   // Synthesize the bits of a request that we actually use.
@@ -382,16 +387,25 @@
   // we have proxy info available.
   if (request_line_.empty()) {
     DCHECK(request_headers_.IsEmpty());
-    HttpRequestHeaders authorization_headers;
+
+    HttpRequestHeaders extra_headers;
     if (auth_->HaveAuth())
-      auth_->AddAuthorizationHeader(&authorization_headers);
+      auth_->AddAuthorizationHeader(&extra_headers);
+
+    if (proxy_delegate_) {
+      HttpRequestHeaders proxy_delegate_headers;
+      proxy_delegate_->OnBeforeTunnelRequest(proxy_server_,
+                                             &proxy_delegate_headers);
+      extra_headers.MergeFrom(proxy_delegate_headers);
+    }
+
     std::string user_agent;
     if (!request_.extra_headers.GetHeader(HttpRequestHeaders::kUserAgent,
                                           &user_agent)) {
       user_agent.clear();
     }
-    BuildTunnelRequest(endpoint_, authorization_headers, user_agent,
-                       &request_line_, &request_headers_);
+    BuildTunnelRequest(endpoint_, extra_headers, user_agent, &request_line_,
+                       &request_headers_);
 
     net_log_.AddEvent(
         NetLogEventType::HTTP_TRANSACTION_SEND_TUNNEL_HEADERS,
@@ -432,6 +446,15 @@
       NetLogEventType::HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS,
       base::Bind(&HttpResponseHeaders::NetLogCallback, response_.headers));
 
+  if (proxy_delegate_) {
+    int rv = proxy_delegate_->OnTunnelHeadersReceived(proxy_server_,
+                                                      *response_.headers);
+    if (rv != OK) {
+      DCHECK_NE(ERR_IO_PENDING, rv);
+      return rv;
+    }
+  }
+
   switch (response_.headers->response_code()) {
     case 200:  // OK
       if (http_stream_parser_->IsMoreDataBuffered())
diff --git a/net/http/http_proxy_client_socket.h b/net/http/http_proxy_client_socket.h
index 38c65bf8..45a4130 100644
--- a/net/http/http_proxy_client_socket.h
+++ b/net/http/http_proxy_client_socket.h
@@ -18,6 +18,7 @@
 #include "net/base/host_port_pair.h"
 #include "net/base/load_timing_info.h"
 #include "net/base/net_export.h"
+#include "net/base/proxy_server.h"
 #include "net/http/http_auth_controller.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_request_info.h"
@@ -34,6 +35,7 @@
 class HttpStream;
 class HttpStreamParser;
 class IOBuffer;
+class ProxyDelegate;
 
 class NET_EXPORT_PRIVATE HttpProxyClientSocket : public ProxyClientSocket {
  public:
@@ -43,10 +45,12 @@
   HttpProxyClientSocket(std::unique_ptr<ClientSocketHandle> transport_socket,
                         const std::string& user_agent,
                         const HostPortPair& endpoint,
+                        const ProxyServer& proxy_server,
                         HttpAuthController* http_auth_controller,
                         bool tunnel,
                         bool using_spdy,
                         NextProto negotiated_protocol,
+                        ProxyDelegate* proxy_delegate,
                         bool is_https_proxy,
                         const NetworkTrafficAnnotationTag& traffic_annotation);
 
@@ -167,6 +171,11 @@
   bool redirect_has_load_timing_info_;
   LoadTimingInfo redirect_load_timing_info_;
 
+  const ProxyServer proxy_server_;
+
+  // This delegate must outlive this proxy client socket.
+  ProxyDelegate* proxy_delegate_;
+
   // Network traffic annotation for handshaking and setup.
   const NetworkTrafficAnnotationTag traffic_annotation_;
 
diff --git a/net/http/http_proxy_client_socket_fuzzer.cc b/net/http/http_proxy_client_socket_fuzzer.cc
index e74ef30..af12e96 100644
--- a/net/http/http_proxy_client_socket_fuzzer.cc
+++ b/net/http/http_proxy_client_socket_fuzzer.cc
@@ -66,8 +66,11 @@
   bool is_https_proxy = data_provider.ConsumeBool();
   net::HttpProxyClientSocket socket(
       std::move(socket_handle), "Bond/007", net::HostPortPair("foo", 80),
+      net::ProxyServer(net::ProxyServer::SCHEME_HTTP,
+                       net::HostPortPair("proxy", 42)),
       auth_controller.get(), true /* tunnel */, false /* using_spdy */,
-      net::kProtoUnknown, is_https_proxy, TRAFFIC_ANNOTATION_FOR_TESTS);
+      net::kProtoUnknown, nullptr /* proxy_delegate */, is_https_proxy,
+      TRAFFIC_ANNOTATION_FOR_TESTS);
   int result = socket.Connect(callback.callback());
   result = callback.GetResult(result);
 
diff --git a/net/http/http_proxy_client_socket_pool.cc b/net/http/http_proxy_client_socket_pool.cc
index d10c8d1..21ace98 100644
--- a/net/http/http_proxy_client_socket_pool.cc
+++ b/net/http/http_proxy_client_socket_pool.cc
@@ -173,6 +173,7 @@
     const SocketTag& socket_tag,
     ClientSocketPool::RespectLimits respect_limits,
     const scoped_refptr<HttpProxySocketParams>& params,
+    ProxyDelegate* proxy_delegate,
     TransportClientSocketPool* transport_pool,
     SSLClientSocketPool* ssl_pool,
     NetworkQualityEstimator* network_quality_estimator,
@@ -207,6 +208,7 @@
           params->quic_stream_factory(),
           params->is_trusted_proxy(),
           params->tunnel(),
+          proxy_delegate,
           params->traffic_annotation(),
           this->net_log())) {}
 
@@ -301,10 +303,12 @@
     HttpProxyConnectJobFactory(
         TransportClientSocketPool* transport_pool,
         SSLClientSocketPool* ssl_pool,
+        ProxyDelegate* proxy_delegate,
         NetworkQualityEstimator* network_quality_estimator,
         NetLog* net_log)
     : transport_pool_(transport_pool),
       ssl_pool_(ssl_pool),
+      proxy_delegate_(proxy_delegate),
       network_quality_estimator_(network_quality_estimator),
       net_log_(net_log) {}
 
@@ -315,8 +319,9 @@
     ConnectJob::Delegate* delegate) const {
   return std::make_unique<HttpProxyConnectJob>(
       group_name, request.priority(), request.socket_tag(),
-      request.respect_limits(), request.params(), transport_pool_, ssl_pool_,
-      network_quality_estimator_, delegate, net_log_);
+      request.respect_limits(), request.params(), proxy_delegate_,
+      transport_pool_, ssl_pool_, network_quality_estimator_, delegate,
+      net_log_);
 }
 
 HttpProxyClientSocketPool::HttpProxyClientSocketPool(
@@ -324,6 +329,7 @@
     int max_sockets_per_group,
     TransportClientSocketPool* transport_pool,
     SSLClientSocketPool* ssl_pool,
+    ProxyDelegate* proxy_delegate,
     NetworkQualityEstimator* network_quality_estimator,
     NetLog* net_log)
     : transport_pool_(transport_pool),
@@ -335,6 +341,7 @@
             ClientSocketPool::used_idle_socket_timeout(),
             new HttpProxyConnectJobFactory(transport_pool,
                                            ssl_pool,
+                                           proxy_delegate,
                                            network_quality_estimator,
                                            net_log)) {
   // We should always have a |transport_pool_| except in unit tests.
diff --git a/net/http/http_proxy_client_socket_pool.h b/net/http/http_proxy_client_socket_pool.h
index 69e1f4d..a869631 100644
--- a/net/http/http_proxy_client_socket_pool.h
+++ b/net/http/http_proxy_client_socket_pool.h
@@ -33,6 +33,7 @@
 class HttpProxyClientSocketWrapper;
 class NetLog;
 class NetworkQualityEstimator;
+class ProxyDelegate;
 class QuicStreamFactory;
 class SSLClientSocketPool;
 class SSLSocketParams;
@@ -116,6 +117,7 @@
                       const SocketTag& socket_tag,
                       ClientSocketPool::RespectLimits respect_limits,
                       const scoped_refptr<HttpProxySocketParams>& params,
+                      ProxyDelegate* proxy_delegate,
                       TransportClientSocketPool* transport_pool,
                       SSLClientSocketPool* ssl_pool,
                       NetworkQualityEstimator* network_quality_estimator,
@@ -170,6 +172,7 @@
                             int max_sockets_per_group,
                             TransportClientSocketPool* transport_pool,
                             SSLClientSocketPool* ssl_pool,
+                            ProxyDelegate* proxy_delegate,
                             NetworkQualityEstimator* network_quality_estimator,
                             NetLog* net_log);
 
@@ -241,6 +244,7 @@
     HttpProxyConnectJobFactory(
         TransportClientSocketPool* transport_pool,
         SSLClientSocketPool* ssl_pool,
+        ProxyDelegate* proxy_delegate,
         NetworkQualityEstimator* network_quality_estimator,
         NetLog* net_log);
 
@@ -256,6 +260,7 @@
 
     TransportClientSocketPool* const transport_pool_;
     SSLClientSocketPool* const ssl_pool_;
+    ProxyDelegate* const proxy_delegate_;
     NetworkQualityEstimator* const network_quality_estimator_;
 
     NetLog* net_log_;
diff --git a/net/http/http_proxy_client_socket_pool_unittest.cc b/net/http/http_proxy_client_socket_pool_unittest.cc
index 10f8be28..c333199 100644
--- a/net/http/http_proxy_client_socket_pool_unittest.cc
+++ b/net/http/http_proxy_client_socket_pool_unittest.cc
@@ -21,6 +21,7 @@
 #include "build/build_config.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_completion_callback.h"
+#include "net/base/test_proxy_delegate.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_proxy_client_socket.h"
 #include "net/http/http_response_headers.h"
@@ -93,6 +94,7 @@
                                                         kMaxSocketsPerGroup,
                                                         &transport_socket_pool_,
                                                         &ssl_socket_pool_,
+                                                        nullptr,
                                                         &estimator_,
                                                         nullptr)) {
     session_ = CreateNetworkSession();
@@ -135,6 +137,12 @@
     HttpProxyConnectJob::UpdateFieldTrialParametersForTesting();
   }
 
+  void InitPoolWithProxyDelegate(ProxyDelegate* proxy_delegate) {
+    pool_ = std::make_unique<HttpProxyClientSocketPool>(
+        kMaxSockets, kMaxSocketsPerGroup, &transport_socket_pool_,
+        &ssl_socket_pool_, proxy_delegate, &estimator_, nullptr);
+  }
+
   void AddAuthToCache() {
     const base::string16 kFoo(base::ASCIIToUTF16("foo"));
     const base::string16 kBar(base::ASCIIToUTF16("bar"));
@@ -274,6 +282,9 @@
                         ::testing::Values(HTTP, HTTPS, SPDY));
 
 TEST_P(HttpProxyClientSocketPoolTest, NoTunnel) {
+  TestProxyDelegate proxy_delegate;
+  InitPoolWithProxyDelegate(&proxy_delegate);
+
   Initialize(base::span<MockRead>(), base::span<MockWrite>(),
              base::span<MockRead>(), base::span<MockWrite>());
 
@@ -285,6 +296,7 @@
   EXPECT_TRUE(handle_.is_initialized());
   ASSERT_TRUE(handle_.socket());
   EXPECT_TRUE(handle_.socket()->IsConnected());
+  EXPECT_FALSE(proxy_delegate.on_before_tunnel_request_called());
 
   bool is_secure_proxy = GetParam() == HTTPS || GetParam() == SPDY;
   histogram_tester().ExpectTotalCount(
@@ -293,6 +305,49 @@
       "Net.HttpProxy.ConnectLatency.Secure.Success", is_secure_proxy ? 1 : 0);
 }
 
+TEST_P(HttpProxyClientSocketPoolTest, ProxyDelegateExtraHeaders) {
+  // It's pretty much impossible to make the SPDY case behave synchronously
+  // so we skip this test for SPDY.
+  if (GetParam() == SPDY)
+    return;
+
+  TestProxyDelegate proxy_delegate;
+  InitPoolWithProxyDelegate(&proxy_delegate);
+
+  const ProxyServer proxy_server(
+      GetParam() == HTTP ? ProxyServer::SCHEME_HTTP : ProxyServer::SCHEME_HTTPS,
+      HostPortPair(GetParam() == HTTP ? kHttpProxyHost : kHttpsProxyHost,
+                   GetParam() == HTTP ? 80 : 443));
+  const std::string request =
+      "CONNECT www.google.com:443 HTTP/1.1\r\n"
+      "Host: www.google.com:443\r\n"
+      "Proxy-Connection: keep-alive\r\n"
+      "Foo: " +
+      proxy_server.ToURI() + "\r\n\r\n";
+  MockWrite writes[] = {
+      MockWrite(SYNCHRONOUS, 0, request.c_str()),
+  };
+
+  const std::string response_header_name = "Foo";
+  const std::string response_header_value = "Response";
+  const std::string response = "HTTP/1.1 200 Connection Established\r\n" +
+                               response_header_name + ": " +
+                               response_header_value + "\r\n\r\n";
+  MockRead reads[] = {
+      MockRead(SYNCHRONOUS, 1, response.c_str()),
+  };
+
+  Initialize(reads, writes, base::span<MockRead>(), base::span<MockWrite>());
+
+  int rv = handle_.Init("a", CreateTunnelParams(), LOW, SocketTag(),
+                        ClientSocketPool::RespectLimits::ENABLED,
+                        callback_.callback(), pool_.get(), NetLogWithSource());
+  EXPECT_THAT(rv, IsOk());
+
+  proxy_delegate.VerifyOnTunnelHeadersReceived(
+      proxy_server, response_header_name, response_header_value);
+}
+
 // Make sure that HttpProxyConnectJob passes on its priority to its
 // (non-SSL) socket request on Init.
 TEST_P(HttpProxyClientSocketPoolTest, SetSocketRequestPriorityOnInit) {
@@ -384,13 +439,12 @@
   // so we skip this test for SPDY
   if (GetParam() == SPDY)
     return;
-  std::string request =
-      "CONNECT www.google.com:443 HTTP/1.1\r\n"
-      "Host: www.google.com:443\r\n"
-      "Proxy-Connection: keep-alive\r\n"
-      "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n\r\n";
   MockWrite writes[] = {
-    MockWrite(SYNCHRONOUS, 0, request.c_str()),
+      MockWrite(SYNCHRONOUS, 0,
+                "CONNECT www.google.com:443 HTTP/1.1\r\n"
+                "Host: www.google.com:443\r\n"
+                "Proxy-Connection: keep-alive\r\n"
+                "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n\r\n"),
   };
   MockRead reads[] = {
     MockRead(SYNCHRONOUS, 1, "HTTP/1.1 200 Connection Established\r\n\r\n"),
@@ -409,13 +463,12 @@
 }
 
 TEST_P(HttpProxyClientSocketPoolTest, AsyncHaveAuth) {
-  std::string request =
-      "CONNECT www.google.com:443 HTTP/1.1\r\n"
-      "Host: www.google.com:443\r\n"
-      "Proxy-Connection: keep-alive\r\n"
-      "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n\r\n";
   MockWrite writes[] = {
-    MockWrite(ASYNC, 0, request.c_str()),
+      MockWrite(ASYNC, 0,
+                "CONNECT www.google.com:443 HTTP/1.1\r\n"
+                "Host: www.google.com:443\r\n"
+                "Proxy-Connection: keep-alive\r\n"
+                "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n\r\n"),
   };
   MockRead reads[] = {
     MockRead(ASYNC, 1, "HTTP/1.1 200 Connection Established\r\n\r\n"),
@@ -867,7 +920,8 @@
       false, kSecureMultiplier, kNonSecureMultiplier, kMinTimeout, kMaxTimeout);
 
   HttpProxyClientSocketPool::HttpProxyConnectJobFactory job_factory(
-      transport_socket_pool(), ssl_socket_pool(), estimator(), nullptr);
+      transport_socket_pool(), ssl_socket_pool(), nullptr, estimator(),
+      nullptr);
 
   const base::TimeDelta kRttEstimate = base::TimeDelta::FromSeconds(2);
   estimator()->SetStartTimeNullHttpRtt(kRttEstimate);
diff --git a/net/http/http_proxy_client_socket_unittest.cc b/net/http/http_proxy_client_socket_unittest.cc
index 6b97067..d4d11b99 100644
--- a/net/http/http_proxy_client_socket_unittest.cc
+++ b/net/http/http_proxy_client_socket_unittest.cc
@@ -7,6 +7,7 @@
 #include "build/build_config.h"
 #include "net/base/address_list.h"
 #include "net/base/host_port_pair.h"
+#include "net/base/proxy_server.h"
 #include "net/log/test_net_log.h"
 #include "net/socket/next_proto.h"
 #include "net/socket/socket_tag.h"
@@ -29,9 +30,9 @@
   // |connection| takes ownership of |tagging_sock|, but keep a
   // non-owning pointer to it.
   connection->SetSocket(std::unique_ptr<StreamSocket>(tagging_sock));
-  HttpProxyClientSocket socket(std::move(connection), "", HostPortPair(),
-                               nullptr, false, false, NextProto(), false,
-                               TRAFFIC_ANNOTATION_FOR_TESTS);
+  HttpProxyClientSocket socket(
+      std::move(connection), "", HostPortPair(), ProxyServer(), nullptr, false,
+      false, NextProto(), nullptr, false, TRAFFIC_ANNOTATION_FOR_TESTS);
 
   EXPECT_EQ(tagging_sock->tag(), SocketTag());
 #if defined(OS_ANDROID)
diff --git a/net/http/http_proxy_client_socket_wrapper.cc b/net/http/http_proxy_client_socket_wrapper.cc
index fcfb57b..dcc9c6a 100644
--- a/net/http/http_proxy_client_socket_wrapper.cc
+++ b/net/http/http_proxy_client_socket_wrapper.cc
@@ -12,6 +12,7 @@
 #include "base/memory/weak_ptr.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/values.h"
+#include "net/base/proxy_delegate.h"
 #include "net/http/http_proxy_client_socket.h"
 #include "net/http/http_response_info.h"
 #include "net/log/net_log_event_type.h"
@@ -54,6 +55,7 @@
     QuicStreamFactory* quic_stream_factory,
     bool is_trusted_proxy,
     bool tunnel,
+    ProxyDelegate* proxy_delegate,
     const NetworkTrafficAnnotationTag& traffic_annotation,
     const NetLogWithSource& net_log)
     : next_state_(STATE_NONE),
@@ -73,6 +75,7 @@
       spdy_session_pool_(spdy_session_pool),
       has_restarted_(false),
       tunnel_(tunnel),
+      proxy_delegate_(proxy_delegate),
       using_spdy_(false),
       is_trusted_proxy_(is_trusted_proxy),
       quic_stream_factory_(quic_stream_factory),
@@ -394,6 +397,16 @@
   return ERR_SOCKET_NOT_CONNECTED;
 }
 
+ProxyServer::Scheme HttpProxyClientSocketWrapper::GetProxyServerScheme() const {
+  if (quic_version_ != quic::QUIC_VERSION_UNSUPPORTED)
+    return ProxyServer::SCHEME_QUIC;
+
+  if (transport_params_)
+    return ProxyServer::SCHEME_HTTP;
+
+  return ProxyServer::SCHEME_HTTPS;
+}
+
 void HttpProxyClientSocketWrapper::OnIOComplete(int result) {
   int rv = DoLoop(result);
   if (rv != ERR_IO_PENDING) {
@@ -473,12 +486,18 @@
 int HttpProxyClientSocketWrapper::DoBeginConnect() {
   connect_start_time_ = base::TimeTicks::Now();
   SetConnectTimer(connect_timeout_duration_);
-  if (quic_version_ != quic::QUIC_VERSION_UNSUPPORTED) {
-    next_state_ = STATE_QUIC_PROXY_CREATE_SESSION;
-  } else if (transport_params_) {
-    next_state_ = STATE_TCP_CONNECT;
-  } else {
-    next_state_ = STATE_SSL_CONNECT;
+  switch (GetProxyServerScheme()) {
+    case ProxyServer::SCHEME_QUIC:
+      next_state_ = STATE_QUIC_PROXY_CREATE_SESSION;
+      break;
+    case ProxyServer::SCHEME_HTTP:
+      next_state_ = STATE_TCP_CONNECT;
+      break;
+    case ProxyServer::SCHEME_HTTPS:
+      next_state_ = STATE_SSL_CONNECT;
+      break;
+    default:
+      NOTREACHED();
   }
   return OK;
 }
@@ -617,8 +636,10 @@
   transport_socket_ =
       transport_pool_->client_socket_factory()->CreateProxyClientSocket(
           std::move(transport_socket_handle_), user_agent_, endpoint_,
+          ProxyServer(GetProxyServerScheme(),
+                      GetDestination().host_port_pair()),
           http_auth_controller_.get(), tunnel_, using_spdy_,
-          negotiated_protocol_, ssl_params_.get() != nullptr,
+          negotiated_protocol_, proxy_delegate_, ssl_params_.get() != nullptr,
           traffic_annotation_);
   return transport_socket_->Connect(base::Bind(
       &HttpProxyClientSocketWrapper::OnIOComplete, base::Unretained(this)));
diff --git a/net/http/http_proxy_client_socket_wrapper.h b/net/http/http_proxy_client_socket_wrapper.h
index 8b49097d..a28efa3 100644
--- a/net/http/http_proxy_client_socket_wrapper.h
+++ b/net/http/http_proxy_client_socket_wrapper.h
@@ -18,6 +18,7 @@
 #include "net/base/completion_once_callback.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/load_timing_info.h"
+#include "net/base/proxy_server.h"
 #include "net/http/http_auth_controller.h"
 #include "net/http/proxy_client_socket.h"
 #include "net/log/net_log_with_source.h"
@@ -36,6 +37,7 @@
 class HttpResponseInfo;
 class HttpStream;
 class IOBuffer;
+class ProxyDelegate;
 class SpdySessionPool;
 class SSLClientSocketPool;
 class TransportClientSocketPool;
@@ -75,6 +77,7 @@
       QuicStreamFactory* quic_stream_factory,
       bool is_trusted_proxy,
       bool tunnel,
+      ProxyDelegate* proxy_delegate,
       const NetworkTrafficAnnotationTag& traffic_annotation,
       const NetLogWithSource& net_log);
 
@@ -151,6 +154,8 @@
     STATE_NONE,
   };
 
+  ProxyServer::Scheme GetProxyServerScheme() const;
+
   void OnIOComplete(int result);
 
   // Runs the state transition loop.
@@ -205,6 +210,7 @@
 
   bool has_restarted_;
   const bool tunnel_;
+  ProxyDelegate* const proxy_delegate_;
 
   bool using_spdy_;
   bool is_trusted_proxy_;
diff --git a/net/http/http_proxy_client_socket_wrapper_unittest.cc b/net/http/http_proxy_client_socket_wrapper_unittest.cc
index 5d256d7..40f235c 100644
--- a/net/http/http_proxy_client_socket_wrapper_unittest.cc
+++ b/net/http/http_proxy_client_socket_wrapper_unittest.cc
@@ -293,8 +293,8 @@
       /*transport_params=*/nullptr, ssl_params, quic_version_, kUserAgent,
       endpoint_host_port_, &http_auth_cache_, http_auth_handler_factory_.get(),
       /*spdy_session_pool=*/nullptr, quic_stream_factory_.get(),
-      /*is_trusted_proxy=*/false, /*tunnel=*/true, TRAFFIC_ANNOTATION_FOR_TESTS,
-      net_log_));
+      /*is_trusted_proxy=*/false, /*tunnel=*/true, /*proxy_delegate=*/nullptr,
+      TRAFFIC_ANNOTATION_FOR_TESTS, net_log_));
 
   TestCompletionCallback callback;
   client_socket_wrapper_->Connect(callback.callback());
@@ -351,8 +351,8 @@
       /*transport_params=*/nullptr, ssl_params, quic_version_, kUserAgent,
       endpoint_host_port_, &http_auth_cache_, http_auth_handler_factory_.get(),
       /*spdy_session_pool=*/nullptr, quic_stream_factory_.get(),
-      /*is_trusted_proxy=*/false, /*tunnel=*/true, TRAFFIC_ANNOTATION_FOR_TESTS,
-      net_log_));
+      /*is_trusted_proxy=*/false, /*tunnel=*/true, /*proxy_delegate=*/nullptr,
+      TRAFFIC_ANNOTATION_FOR_TESTS, net_log_));
 
   TestCompletionCallback callback;
   client_socket_wrapper_->Connect(callback.callback());
diff --git a/net/http/http_stream_factory_unittest.cc b/net/http/http_stream_factory_unittest.cc
index 5faf10b..3d68939 100644
--- a/net/http/http_stream_factory_unittest.cc
+++ b/net/http/http_stream_factory_unittest.cc
@@ -462,7 +462,13 @@
     TransportSecurityState*,
     CTVerifier*,
     CTPolicyEnforcer*)
-    : HttpProxyClientSocketPool(0, 0, nullptr, nullptr, nullptr, nullptr),
+    : HttpProxyClientSocketPool(0,
+                                0,
+                                nullptr,
+                                nullptr,
+                                nullptr,
+                                nullptr,
+                                nullptr),
       last_num_streams_(-1) {}
 
 template <>
diff --git a/net/http/proxy_client_socket.cc b/net/http/proxy_client_socket.cc
index e646fe1e..6dde1d5 100644
--- a/net/http/proxy_client_socket.cc
+++ b/net/http/proxy_client_socket.cc
@@ -24,7 +24,7 @@
 // static
 void ProxyClientSocket::BuildTunnelRequest(
     const HostPortPair& endpoint,
-    const HttpRequestHeaders& auth_headers,
+    const HttpRequestHeaders& extra_headers,
     const std::string& user_agent,
     std::string* request_line,
     HttpRequestHeaders* request_headers) {
@@ -41,7 +41,7 @@
   if (!user_agent.empty())
     request_headers->SetHeader(HttpRequestHeaders::kUserAgent, user_agent);
 
-  request_headers->MergeFrom(auth_headers);
+  request_headers->MergeFrom(extra_headers);
 }
 
 // static
diff --git a/net/http/proxy_client_socket.h b/net/http/proxy_client_socket.h
index 639ac30..1d3f2a8 100644
--- a/net/http/proxy_client_socket.h
+++ b/net/http/proxy_client_socket.h
@@ -67,7 +67,7 @@
   // in draft-luotonen-web-proxy-tunneling-01.txt and RFC 2817, Sections 5.2
   // and 5.3.
   static void BuildTunnelRequest(const HostPortPair& endpoint,
-                                 const HttpRequestHeaders& auth_headers,
+                                 const HttpRequestHeaders& extra_headers,
                                  const std::string& user_agent,
                                  std::string* request_line,
                                  HttpRequestHeaders* request_headers);
diff --git a/net/proxy_resolution/pac_library_unittest.cc b/net/proxy_resolution/pac_library_unittest.cc
index 87c12c0..67642c02 100644
--- a/net/proxy_resolution/pac_library_unittest.cc
+++ b/net/proxy_resolution/pac_library_unittest.cc
@@ -265,10 +265,12 @@
       std::unique_ptr<ClientSocketHandle> transport_socket,
       const std::string& user_agent,
       const HostPortPair& endpoint,
+      const ProxyServer& proxy_server,
       HttpAuthController* http_auth_controller,
       bool tunnel,
       bool using_spdy,
       NextProto negotiated_protocol,
+      ProxyDelegate* proxy_delegate,
       bool is_https_proxy,
       const NetworkTrafficAnnotationTag& traffic_annotation) override {
     ADD_FAILURE() << "Called CreateProxyClientSocket()";
diff --git a/net/proxy_resolution/proxy_resolution_service_unittest.cc b/net/proxy_resolution/proxy_resolution_service_unittest.cc
index 8bf71e4..439477f 100644
--- a/net/proxy_resolution/proxy_resolution_service_unittest.cc
+++ b/net/proxy_resolution/proxy_resolution_service_unittest.cc
@@ -220,6 +220,15 @@
 
   void OnFallback(const ProxyServer& bad_proxy, int net_error) override {}
 
+  void OnBeforeTunnelRequest(const ProxyServer& proxy_server,
+                             HttpRequestHeaders* extra_headers) override {}
+
+  Error OnTunnelHeadersReceived(
+      const ProxyServer& proxy_server,
+      const HttpResponseHeaders& response_headers) override {
+    return OK;
+  }
+
  private:
   int num_resolve_proxy_called_ = 0;
   bool add_proxy_ = false;
@@ -236,12 +245,22 @@
                       const std::string& method,
                       const ProxyRetryInfoMap& proxy_retry_info,
                       ProxyInfo* result) override {}
+
   void OnFallback(const ProxyServer& bad_proxy, int net_error) override {
     proxy_server_ = bad_proxy;
     last_proxy_fallback_net_error_ = net_error;
     num_proxy_fallback_called_++;
   }
 
+  void OnBeforeTunnelRequest(const ProxyServer& proxy_server,
+                             HttpRequestHeaders* extra_headers) override {}
+
+  Error OnTunnelHeadersReceived(
+      const ProxyServer& proxy_server,
+      const HttpResponseHeaders& response_headers) override {
+    return OK;
+  }
+
   bool num_proxy_fallback_called() const { return num_proxy_fallback_called_; }
 
   const ProxyServer& proxy_server() const {
diff --git a/net/socket/client_socket_factory.cc b/net/socket/client_socket_factory.cc
index 2ddce22..de98df3 100644
--- a/net/socket/client_socket_factory.cc
+++ b/net/socket/client_socket_factory.cc
@@ -69,16 +69,18 @@
       std::unique_ptr<ClientSocketHandle> transport_socket,
       const std::string& user_agent,
       const HostPortPair& endpoint,
+      const ProxyServer& proxy_server,
       HttpAuthController* http_auth_controller,
       bool tunnel,
       bool using_spdy,
       NextProto negotiated_protocol,
+      ProxyDelegate* proxy_delegate,
       bool is_https_proxy,
       const NetworkTrafficAnnotationTag& traffic_annotation) override {
     return std::make_unique<HttpProxyClientSocket>(
-        std::move(transport_socket), user_agent, endpoint, http_auth_controller,
-        tunnel, using_spdy, negotiated_protocol, is_https_proxy,
-        traffic_annotation);
+        std::move(transport_socket), user_agent, endpoint, proxy_server,
+        http_auth_controller, tunnel, using_spdy, negotiated_protocol,
+        proxy_delegate, is_https_proxy, traffic_annotation);
   }
 
   void ClearSSLSessionCache() override { SSLClientSocket::ClearSessionCache(); }
diff --git a/net/socket/client_socket_factory.h b/net/socket/client_socket_factory.h
index 009c4e1..6123167 100644
--- a/net/socket/client_socket_factory.h
+++ b/net/socket/client_socket_factory.h
@@ -27,6 +27,8 @@
 struct SSLClientSocketContext;
 struct SSLConfig;
 class ProxyClientSocket;
+class ProxyDelegate;
+class ProxyServer;
 class HttpAuthController;
 
 // An interface used to instantiate StreamSocket objects.  Used to facilitate
@@ -61,10 +63,12 @@
       std::unique_ptr<ClientSocketHandle> transport_socket,
       const std::string& user_agent,
       const HostPortPair& endpoint,
+      const ProxyServer& proxy_server,
       HttpAuthController* http_auth_controller,
       bool tunnel,
       bool using_spdy,
       NextProto negotiated_protocol,
+      ProxyDelegate* proxy_delegate,
       bool is_https_proxy,
       const NetworkTrafficAnnotationTag& traffic_annotation) = 0;
 
diff --git a/net/socket/client_socket_pool_base_unittest.cc b/net/socket/client_socket_pool_base_unittest.cc
index 26a784c..be7e7df 100644
--- a/net/socket/client_socket_pool_base_unittest.cc
+++ b/net/socket/client_socket_pool_base_unittest.cc
@@ -244,10 +244,12 @@
       std::unique_ptr<ClientSocketHandle> transport_socket,
       const std::string& user_agent,
       const HostPortPair& endpoint,
+      const ProxyServer& proxy_server,
       HttpAuthController* http_auth_controller,
       bool tunnel,
       bool using_spdy,
       NextProto negotiated_protocol,
+      ProxyDelegate* proxy_delegate,
       bool is_https_proxy,
       const NetworkTrafficAnnotationTag& traffic_annotation) override {
     NOTIMPLEMENTED();
diff --git a/net/socket/client_socket_pool_manager_impl.cc b/net/socket/client_socket_pool_manager_impl.cc
index 44ae320..11b2821 100644
--- a/net/socket/client_socket_pool_manager_impl.cc
+++ b/net/socket/client_socket_pool_manager_impl.cc
@@ -52,6 +52,7 @@
     const std::string& ssl_session_cache_shard,
     SSLConfigService* ssl_config_service,
     WebSocketEndpointLockManager* websocket_endpoint_lock_manager,
+    ProxyDelegate* proxy_delegate,
     HttpNetworkSession::SocketPoolType pool_type)
     : net_log_(net_log),
       socket_factory_(socket_factory),
@@ -65,6 +66,7 @@
       ct_policy_enforcer_(ct_policy_enforcer),
       ssl_session_cache_shard_(ssl_session_cache_shard),
       ssl_config_service_(ssl_config_service),
+      proxy_delegate_(proxy_delegate),
       pool_type_(pool_type),
       transport_socket_pool_(pool_type ==
                                      HttpNetworkSession::WEBSOCKET_SOCKET_POOL
@@ -308,7 +310,7 @@
           http_proxy, std::make_unique<HttpProxyClientSocketPool>(
                           sockets_per_proxy_server, sockets_per_group,
                           tcp_http_ret.first->second.get(),
-                          ssl_https_ret.first->second.get(),
+                          ssl_https_ret.first->second.get(), proxy_delegate_,
                           network_quality_estimator_, net_log_)));
 
   return ret.first->second.get();
diff --git a/net/socket/client_socket_pool_manager_impl.h b/net/socket/client_socket_pool_manager_impl.h
index 2706d93e..5f500dd 100644
--- a/net/socket/client_socket_pool_manager_impl.h
+++ b/net/socket/client_socket_pool_manager_impl.h
@@ -35,6 +35,7 @@
 class HostResolver;
 class NetLog;
 class NetworkQualityEstimator;
+class ProxyDelegate;
 class ProxyServer;
 class SocketPerformanceWatcherFactory;
 class SOCKSClientSocketPool;
@@ -62,6 +63,7 @@
       const std::string& ssl_session_cache_shard,
       SSLConfigService* ssl_config_service,
       WebSocketEndpointLockManager* websocket_endpoint_lock_manager,
+      ProxyDelegate* proxy_delegate,
       HttpNetworkSession::SocketPoolType pool_type);
   ~ClientSocketPoolManagerImpl() override;
 
@@ -113,6 +115,7 @@
   CTPolicyEnforcer* const ct_policy_enforcer_;
   const std::string ssl_session_cache_shard_;
   SSLConfigService* const ssl_config_service_;
+  ProxyDelegate* const proxy_delegate_;
   const HttpNetworkSession::SocketPoolType pool_type_;
 
   // Note: this ordering is important.
diff --git a/net/socket/fuzzed_socket_factory.cc b/net/socket/fuzzed_socket_factory.cc
index 57449da..136072c 100644
--- a/net/socket/fuzzed_socket_factory.cc
+++ b/net/socket/fuzzed_socket_factory.cc
@@ -156,10 +156,12 @@
     std::unique_ptr<ClientSocketHandle> transport_socket,
     const std::string& user_agent,
     const HostPortPair& endpoint,
+    const ProxyServer& proxy_server,
     HttpAuthController* http_auth_controller,
     bool tunnel,
     bool using_spdy,
     NextProto negotiated_protocol,
+    ProxyDelegate* proxy_delegate,
     bool is_https_proxy,
     const NetworkTrafficAnnotationTag& traffic_annotation) {
   NOTIMPLEMENTED();
diff --git a/net/socket/fuzzed_socket_factory.h b/net/socket/fuzzed_socket_factory.h
index fad788a..46153a7 100644
--- a/net/socket/fuzzed_socket_factory.h
+++ b/net/socket/fuzzed_socket_factory.h
@@ -56,10 +56,12 @@
       std::unique_ptr<ClientSocketHandle> transport_socket,
       const std::string& user_agent,
       const HostPortPair& endpoint,
+      const ProxyServer& proxy_server,
       HttpAuthController* http_auth_controller,
       bool tunnel,
       bool using_spdy,
       NextProto negotiated_protocol,
+      ProxyDelegate* proxy_delegate,
       bool is_https_proxy,
       const NetworkTrafficAnnotationTag& traffic_annotation) override;
 
diff --git a/net/socket/socket_test_util.cc b/net/socket/socket_test_util.cc
index 68617d63..14d7608 100644
--- a/net/socket/socket_test_util.cc
+++ b/net/socket/socket_test_util.cc
@@ -796,10 +796,12 @@
     std::unique_ptr<ClientSocketHandle> transport_socket,
     const std::string& user_agent,
     const HostPortPair& endpoint,
+    const ProxyServer& proxy_server,
     HttpAuthController* http_auth_controller,
     bool tunnel,
     bool using_spdy,
     NextProto negotiated_protocol,
+    ProxyDelegate* proxy_delegate,
     bool is_https_proxy,
     const NetworkTrafficAnnotationTag& traffic_annotation) {
   if (use_mock_proxy_client_sockets_) {
@@ -808,9 +810,9 @@
         std::move(transport_socket), http_auth_controller, next_proxy_data);
   } else {
     return GetDefaultFactory()->CreateProxyClientSocket(
-        std::move(transport_socket), user_agent, endpoint, http_auth_controller,
-        tunnel, using_spdy, negotiated_protocol, is_https_proxy,
-        traffic_annotation);
+        std::move(transport_socket), user_agent, endpoint, proxy_server,
+        http_auth_controller, tunnel, using_spdy, negotiated_protocol,
+        proxy_delegate, is_https_proxy, traffic_annotation);
   }
 }
 
diff --git a/net/socket/socket_test_util.h b/net/socket/socket_test_util.h
index b2237ad..36e4346d 100644
--- a/net/socket/socket_test_util.h
+++ b/net/socket/socket_test_util.h
@@ -631,10 +631,12 @@
       std::unique_ptr<ClientSocketHandle> transport_socket,
       const std::string& user_agent,
       const HostPortPair& endpoint,
+      const ProxyServer& proxy_server,
       HttpAuthController* http_auth_controller,
       bool tunnel,
       bool using_spdy,
       NextProto negotiated_protocol,
+      ProxyDelegate* proxy_delegate,
       bool is_https_proxy,
       const NetworkTrafficAnnotationTag& traffic_annotation) override;
   void ClearSSLSessionCache() override;
diff --git a/net/socket/ssl_client_socket_pool_unittest.cc b/net/socket/ssl_client_socket_pool_unittest.cc
index 07fa615..f930b1a 100644
--- a/net/socket/ssl_client_socket_pool_unittest.cc
+++ b/net/socket/ssl_client_socket_pool_unittest.cc
@@ -140,6 +140,7 @@
                                 &transport_socket_pool_,
                                 NULL,
                                 NULL,
+                                NULL,
                                 NULL) {
     ssl_config_service_->GetSSLConfig(&ssl_config_);
   }
diff --git a/net/socket/transport_client_socket_pool_test_util.cc b/net/socket/transport_client_socket_pool_test_util.cc
index 3eb3420..1213991 100644
--- a/net/socket/transport_client_socket_pool_test_util.cc
+++ b/net/socket/transport_client_socket_pool_test_util.cc
@@ -456,10 +456,12 @@
     std::unique_ptr<ClientSocketHandle> transport_socket,
     const std::string& user_agent,
     const HostPortPair& endpoint,
+    const ProxyServer& proxy_server,
     HttpAuthController* http_auth_controller,
     bool tunnel,
     bool using_spdy,
     NextProto negotiated_protocol,
+    ProxyDelegate* proxy_delegate,
     bool is_https_proxy,
     const NetworkTrafficAnnotationTag& traffic_annotation) {
   NOTIMPLEMENTED();
diff --git a/net/socket/transport_client_socket_pool_test_util.h b/net/socket/transport_client_socket_pool_test_util.h
index b341963..e4213ea5 100644
--- a/net/socket/transport_client_socket_pool_test_util.h
+++ b/net/socket/transport_client_socket_pool_test_util.h
@@ -95,10 +95,12 @@
       std::unique_ptr<ClientSocketHandle> transport_socket,
       const std::string& user_agent,
       const HostPortPair& endpoint,
+      const ProxyServer& proxy_server,
       HttpAuthController* http_auth_controller,
       bool tunnel,
       bool using_spdy,
       NextProto negotiated_protocol,
+      ProxyDelegate* proxy_delegate,
       bool is_https_proxy,
       const NetworkTrafficAnnotationTag& traffic_annotation) override;
 
diff --git a/net/url_request/url_request_context.cc b/net/url_request/url_request_context.cc
index ee4850a..74d2c25 100644
--- a/net/url_request/url_request_context.cc
+++ b/net/url_request/url_request_context.cc
@@ -35,6 +35,7 @@
       channel_id_service_(nullptr),
       http_auth_handler_factory_(nullptr),
       proxy_resolution_service_(nullptr),
+      proxy_delegate_(nullptr),
       ssl_config_service_(nullptr),
       network_delegate_(nullptr),
       http_server_properties_(nullptr),
@@ -74,6 +75,7 @@
   set_channel_id_service(other->channel_id_service_);
   set_http_auth_handler_factory(other->http_auth_handler_factory_);
   set_proxy_resolution_service(other->proxy_resolution_service_);
+  set_proxy_delegate(other->proxy_delegate_);
   set_ssl_config_service(other->ssl_config_service_);
   set_network_delegate(other->network_delegate_);
   set_http_server_properties(other->http_server_properties_);
diff --git a/net/url_request/url_request_context.h b/net/url_request/url_request_context.h
index 2eddf63..4d51f78b 100644
--- a/net/url_request/url_request_context.h
+++ b/net/url_request/url_request_context.h
@@ -45,6 +45,7 @@
 class NetLog;
 class NetworkDelegate;
 class NetworkQualityEstimator;
+class ProxyDelegate;
 class ProxyResolutionService;
 class SSLConfigService;
 class URLRequest;
@@ -140,6 +141,11 @@
     proxy_resolution_service_ = proxy_resolution_service;
   }
 
+  ProxyDelegate* proxy_delegate() const { return proxy_delegate_; }
+  void set_proxy_delegate(ProxyDelegate* proxy_delegate) {
+    proxy_delegate_ = proxy_delegate;
+  }
+
   // Get the ssl config service for this context.
   SSLConfigService* ssl_config_service() const { return ssl_config_service_; }
   void set_ssl_config_service(SSLConfigService* service) {
@@ -303,6 +309,7 @@
   ChannelIDService* channel_id_service_;
   HttpAuthHandlerFactory* http_auth_handler_factory_;
   ProxyResolutionService* proxy_resolution_service_;
+  ProxyDelegate* proxy_delegate_;
   SSLConfigService* ssl_config_service_;
   NetworkDelegate* network_delegate_;
   HttpServerProperties* http_server_properties_;
diff --git a/net/url_request/url_request_context_builder.cc b/net/url_request/url_request_context_builder.cc
index 91c1b7b..0033e7f 100644
--- a/net/url_request/url_request_context_builder.cc
+++ b/net/url_request/url_request_context_builder.cc
@@ -234,6 +234,7 @@
   session_context->ct_policy_enforcer = request_context->ct_policy_enforcer();
   session_context->proxy_resolution_service =
       request_context->proxy_resolution_service();
+  session_context->proxy_delegate = request_context->proxy_delegate();
   session_context->ssl_config_service = request_context->ssl_config_service();
   session_context->http_auth_handler_factory =
       request_context->http_auth_handler_factory();
@@ -565,9 +566,6 @@
   }
 #endif  // BUILDFLAG(ENABLE_REPORTING)
 
-  HttpNetworkSession::Context network_session_context;
-  SetHttpNetworkSessionComponents(context.get(), &network_session_context);
-
   if (proxy_delegate_) {
     DCHECK(!shared_proxy_delegate_);
     proxy_resolution_service->AssertNoProxyDelegate();
@@ -576,8 +574,12 @@
   } else if (shared_proxy_delegate_) {
     proxy_resolution_service->AssertNoProxyDelegate();
     proxy_resolution_service->SetProxyDelegate(shared_proxy_delegate_);
+    context->set_proxy_delegate(shared_proxy_delegate_);
   }
 
+  HttpNetworkSession::Context network_session_context;
+  SetHttpNetworkSessionComponents(context.get(), &network_session_context);
+
   storage->set_http_network_session(std::make_unique<HttpNetworkSession>(
       http_network_session_params_, network_session_context));
 
diff --git a/net/url_request/url_request_context_storage.cc b/net/url_request/url_request_context_storage.cc
index c84e776..ab7bb7c 100644
--- a/net/url_request/url_request_context_storage.cc
+++ b/net/url_request/url_request_context_storage.cc
@@ -70,6 +70,7 @@
 
 void URLRequestContextStorage::set_proxy_delegate(
     std::unique_ptr<ProxyDelegate> proxy_delegate) {
+  context_->set_proxy_delegate(proxy_delegate.get());
   proxy_delegate_ = std::move(proxy_delegate);
 }
 
diff --git a/net/websockets/websocket_basic_stream_adapters_test.cc b/net/websockets/websocket_basic_stream_adapters_test.cc
index d981f0c..892da3d 100644
--- a/net/websockets/websocket_basic_stream_adapters_test.cc
+++ b/net/websockets/websocket_basic_stream_adapters_test.cc
@@ -70,6 +70,7 @@
             "test_shard",
             nullptr,
             &websocket_endpoint_lock_manager_,
+            nullptr,
             HttpNetworkSession::NORMAL_SOCKET_POOL)),
         transport_params_(base::MakeRefCounted<TransportSocketParams>(
             host_port_pair_,
diff --git a/net/websockets/websocket_end_to_end_test.cc b/net/websockets/websocket_end_to_end_test.cc
index b720996..fa0a84b 100644
--- a/net/websockets/websocket_end_to_end_test.cc
+++ b/net/websockets/websocket_end_to_end_test.cc
@@ -247,6 +247,15 @@
 
   void OnFallback(const ProxyServer& bad_proxy, int net_error) override {}
 
+  void OnBeforeTunnelRequest(const ProxyServer& proxy_server,
+                             HttpRequestHeaders* extra_headers) override {}
+
+  Error OnTunnelHeadersReceived(
+      const ProxyServer& proxy_server,
+      const HttpResponseHeaders& response_headers) override {
+    return OK;
+  }
+
  private:
   ResolvedProxyInfo resolved_proxy_info_;
 
diff --git a/services/network/network_service_proxy_delegate.cc b/services/network/network_service_proxy_delegate.cc
index ffc1aed..17f643a 100644
--- a/services/network/network_service_proxy_delegate.cc
+++ b/services/network/network_service_proxy_delegate.cc
@@ -165,6 +165,16 @@
 void NetworkServiceProxyDelegate::OnFallback(const net::ProxyServer& bad_proxy,
                                              int net_error) {}
 
+void NetworkServiceProxyDelegate::OnBeforeTunnelRequest(
+    const net::ProxyServer& proxy_server,
+    net::HttpRequestHeaders* extra_headers) {}
+
+net::Error NetworkServiceProxyDelegate::OnTunnelHeadersReceived(
+    const net::ProxyServer& proxy_server,
+    const net::HttpResponseHeaders& response_headers) {
+  return net::OK;
+}
+
 void NetworkServiceProxyDelegate::OnCustomProxyConfigUpdated(
     mojom::CustomProxyConfigPtr proxy_config) {
   DCHECK(proxy_config->rules.empty() ||
diff --git a/services/network/network_service_proxy_delegate.h b/services/network/network_service_proxy_delegate.h
index 6d36748..b69173e 100644
--- a/services/network/network_service_proxy_delegate.h
+++ b/services/network/network_service_proxy_delegate.h
@@ -52,6 +52,11 @@
                       const net::ProxyRetryInfoMap& proxy_retry_info,
                       net::ProxyInfo* result) override;
   void OnFallback(const net::ProxyServer& bad_proxy, int net_error) override;
+  void OnBeforeTunnelRequest(const net::ProxyServer& proxy_server,
+                             net::HttpRequestHeaders* extra_headers) override;
+  net::Error OnTunnelHeadersReceived(
+      const net::ProxyServer& proxy_server,
+      const net::HttpResponseHeaders& response_headers) override;
 
  private:
   // Checks whether |proxy_server| is present in the current proxy config.
diff --git a/services/network/proxy_resolving_client_socket_factory.cc b/services/network/proxy_resolving_client_socket_factory.cc
index f146c2e..2c24dcac 100644
--- a/services/network/proxy_resolving_client_socket_factory.cc
+++ b/services/network/proxy_resolving_client_socket_factory.cc
@@ -36,6 +36,7 @@
   session_context.channel_id_service = NULL;
   session_context.proxy_resolution_service =
       request_context->proxy_resolution_service();
+  session_context.proxy_delegate = request_context->proxy_delegate();
   session_context.ssl_config_service = request_context->ssl_config_service();
   session_context.http_auth_handler_factory =
       request_context->http_auth_handler_factory();