From 3f7ece94691f048377512990a38c0317820bf77f Mon Sep 17 00:00:00 2001 From: Raymond Hill Date: Sun, 22 Mar 2020 14:52:58 -0400 Subject: [PATCH] Do not cname-uncloak when a proxy is in use Related issue: - https://github.com/uBlockOrigin/uBlock-issues/issues/911 Since cname-uncloaking is available only on Firefox at the moment, the fix is relevant only to Firefox. By default uBO will no longer cname-uncloak when it detects that network requests are being being proxied. This default behavior can be overriden by setting the new advanced setting `cnameUncloakProxied` to `true`. The new setting default to `false`, i.e. cname-uncloaking is disabled when uBO detects that a proxy is in use. This new advanced setting may disappear once the following Firefox issue is fixed: - https://bugzilla.mozilla.org/show_bug.cgi?id=1618271 --- platform/firefox/vapi-webrequest.js | 34 ++++++++++++++++++++++------- src/js/background.js | 2 ++ src/js/storage.js | 10 +++++++++ src/js/traffic.js | 17 ++++++++++----- 4 files changed, 50 insertions(+), 13 deletions(-) diff --git a/platform/firefox/vapi-webrequest.js b/platform/firefox/vapi-webrequest.js index 3dedbd690..08083b0bf 100644 --- a/platform/firefox/vapi-webrequest.js +++ b/platform/firefox/vapi-webrequest.js @@ -72,14 +72,32 @@ } setOptions(options) { super.setOptions(options); - this.cnameUncloak = browser.dns instanceof Object && - options.cnameUncloak !== false; - this.cnameIgnoreList = this.regexFromStrList(options.cnameIgnoreList); - this.cnameIgnore1stParty = options.cnameIgnore1stParty !== false; - this.cnameIgnoreExceptions = options.cnameIgnoreExceptions !== false; - this.cnameIgnoreRootDocument = options.cnameIgnoreRootDocument !== false; - this.cnameMaxTTL = options.cnameMaxTTL || 120; - this.cnameReplayFullURL = options.cnameReplayFullURL === true; + if ( 'cnameUncloak' in options ) { + this.cnameUncloak = browser.dns instanceof Object && + options.cnameUncloak !== false; + } + if ( 'cnameIgnoreList' in options ) { + this.cnameIgnoreList = + this.regexFromStrList(options.cnameIgnoreList); + } + if ( 'cnameIgnore1stParty' in options ) { + this.cnameIgnore1stParty = + options.cnameIgnore1stParty !== false; + } + if ( 'cnameIgnoreExceptions' in options ) { + this.cnameIgnoreExceptions = + options.cnameIgnoreExceptions !== false; + } + if ( 'cnameIgnoreRootDocument' in options ) { + this.cnameIgnoreRootDocument = + options.cnameIgnoreRootDocument !== false; + } + if ( 'cnameMaxTTL' in options ) { + this.cnameMaxTTL = options.cnameMaxTTL || 120; + } + if ( 'cnameReplayFullURL' in options ) { + this.cnameReplayFullURL = options.cnameReplayFullURL === true; + } this.cnames.clear(); this.cnames.set('', ''); this.cnameFlushTime = Date.now() + this.cnameMaxTTL * 60000; } diff --git a/src/js/background.js b/src/js/background.js index 22a57e588..61e984c59 100644 --- a/src/js/background.js +++ b/src/js/background.js @@ -54,6 +54,7 @@ const µBlock = (( ) => { // jshint ignore:line cnameMaxTTL: 120, cnameReplayFullURL: false, cnameUncloak: true, + cnameUncloakProxied: false, consoleLogLevel: 'unset', debugScriptlets: false, debugScriptletInjector: false, @@ -105,6 +106,7 @@ const µBlock = (( ) => { // jshint ignore:line cloudStorageSupported: vAPI.cloud instanceof Object, canFilterResponseData: typeof browser.webRequest.filterResponseData === 'function', canInjectScriptletsNow: vAPI.webextFlavor.soup.has('chromium'), + proxyDNS: undefined, // https://github.com/chrisaljoudi/uBlock/issues/180 // Whitelist directives need to be loaded once the PSL is available diff --git a/src/js/storage.js b/src/js/storage.js index 8ccac6240..bdaa9dfbf 100644 --- a/src/js/storage.js +++ b/src/js/storage.js @@ -143,6 +143,16 @@ self.addEventListener('hiddenSettingsChanged', ( ) => { cnameReplayFullURL: µBlock.hiddenSettings.cnameReplayFullURL, cnameUncloak: µBlock.hiddenSettings.cnameUncloak, }); + // https://github.com/uBlockOrigin/uBlock-issues/issues/911 + // See uBO's onHeadersReceived() listener. + if ( + µBlock.hiddenSettings.cnameUncloak === false || + µBlock.hiddenSettings.cnameUncloakProxied === true + ) { + µBlock.proxyDNS = false; + } else { + µBlock.proxyDNS = undefined; + } }); /******************************************************************************/ diff --git a/src/js/traffic.js b/src/js/traffic.js index 089fb168a..17288855e 100644 --- a/src/js/traffic.js +++ b/src/js/traffic.js @@ -441,6 +441,17 @@ const onHeadersReceived = function(details) { const isRootDoc = requestType === 'main_frame'; const isDoc = isRootDoc || requestType === 'sub_frame'; + // https://github.com/uBlockOrigin/uBlock-issues/issues/911 + // We detect here whether network requests are proxied, and if so, + // de-aliasing of hostnames will be disabled to avoid possible + // DNS leaks. + if ( isRootDoc && µb.proxyDNS === undefined ) { + µb.proxyDNS = details.proxyInfo instanceof Object; + if ( µb.proxyDNS ) { + vAPI.Net.setOptions({ cnameUncloak: false }); + } + } + let pageStore = µb.pageStoreFromTabId(fctxt.tabId); if ( pageStore === null ) { if ( isRootDoc === false ) { return; } @@ -454,11 +465,7 @@ const onHeadersReceived = function(details) { const responseHeaders = details.responseHeaders; if ( requestType === 'image' || requestType === 'media' ) { - return foilLargeMediaElement( - fctxt, - pageStore, - responseHeaders - ); + return foilLargeMediaElement(fctxt, pageStore, responseHeaders); } if ( isDoc === false ) { return; }