AMA: How I built proxy chaining and sandboxing into a Chromium wrapper

Hey everyone! I'm Archit, the solo builder behind Sandbox Browser — a wrapper around Chromium that adds a full privacy and network control layer on top of the browser.

Since this is a technically curious community, I wanted to open up an AMA specifically about the engineering side. Here's a quick overview of what's under the hood — then ask me anything.

What Sandbox Browser actually is:

A Chromium wrapper — not a fork of Chromium internals, but a structured wrapper that intercepts and extends Chromium's network and process layers to add privacy-first controls that don't exist natively in the browser.

The 7 technical pieces that make it work:

1. Embedded SOCKS5 proxy — Runs inside the wrapper process itself. Chromium's network stack is pointed at it via the command-line proxy switch, so all requests route through it without any external app.

2. Proxy chaining with Psiphon — Psiphon is auto-launched as a child process and its SOCKS5 output port is chained into the embedded proxy. Traffic flow: Chromium → SOCKS5 wrapper → Psiphon → open internet. The chain auto-restarts if Psiphon drops.

3. Windows AppContainer sandboxing — Chromium is launched inside a Windows AppContainer — same OS-level isolation used by UWP apps. Restricts filesystem, network interface, and registry access at the OS level. A real security boundary, not just profile separation.

4. VPN-style toolbar toggle — A custom toolbar button switches the proxy chain on/off at runtime without restarting the browser. State changes are reflected live in network routing.

5. TLS fingerprint randomization — Modifies TLS ClientHello parameters on outgoing connections to reduce browser fingerprinting. Makes Sandbox Browser harder to identify as Chromium-based at the network level.

6. Split tunneling — Define which domains or IPs route through the proxy chain and which go direct. Useful for research setups that need some traffic sandboxed and some not.

7. DNS-over-HTTPS — DNS is resolved over HTTPS through a configurable DoH resolver so queries don't leak through the system resolver or become visible to ISPs.

Happy to go deep on any of these. Ask me about:

→ How the SOCKS5 proxy is embedded and managed inside the wrapper

→ How AppContainer isolation is configured for a Chromium process

→ How the Psiphon chain is kept alive reliably

→ TLS fingerprint randomization approach and tradeoffs

→ Any other architecture or design decisions

No question is too basic or too deep. Fire away!