Do not cname-uncloak when a proxy is in use

Related issue:
- uBlockOrigin/uBlock-issues#911

Since cname-uncloaking is available only on Firefox
at the moment, the fix is relevant only to Firefox.

By default uBO will no longer cname-uncloak when it
detects that network requests are being being proxied.

This default behavior can be overriden by setting the
new advanced setting `cnameUncloakProxied` to `true`.
The new setting default to `false`, i.e. cname-uncloaking
is disabled when uBO detects that a proxy is in use.

This new advanced setting may disappear once the
following Firefox issue is fixed:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1618271

Author: gorhill

platform/firefox/vapi-webrequest.js

@@ -72,14 +72,32 @@
         }
         setOptions(options) {
             super.setOptions(options);
-            this.cnameUncloak = browser.dns instanceof Object &&
-                                options.cnameUncloak !== false;
-            this.cnameIgnoreList = this.regexFromStrList(options.cnameIgnoreList);
-            this.cnameIgnore1stParty = options.cnameIgnore1stParty !== false;
-            this.cnameIgnoreExceptions = options.cnameIgnoreExceptions !== false;
-            this.cnameIgnoreRootDocument = options.cnameIgnoreRootDocument !== false;
-            this.cnameMaxTTL = options.cnameMaxTTL || 120;
-            this.cnameReplayFullURL = options.cnameReplayFullURL === true;
+            if ( 'cnameUncloak' in options ) {
+                this.cnameUncloak = browser.dns instanceof Object &&
+                                    options.cnameUncloak !== false;
+            }
+            if ( 'cnameIgnoreList' in options ) {
+                this.cnameIgnoreList =
+                    this.regexFromStrList(options.cnameIgnoreList);
+            }
+            if ( 'cnameIgnore1stParty' in options ) {
+                this.cnameIgnore1stParty =
+                    options.cnameIgnore1stParty !== false;
+            }
+            if ( 'cnameIgnoreExceptions' in options ) {
+                this.cnameIgnoreExceptions =
+                    options.cnameIgnoreExceptions !== false;
+            }
+            if ( 'cnameIgnoreRootDocument' in options ) {
+                this.cnameIgnoreRootDocument =
+                    options.cnameIgnoreRootDocument !== false;
+            }
+            if ( 'cnameMaxTTL' in options ) {
+                this.cnameMaxTTL = options.cnameMaxTTL || 120;
+            }
+            if ( 'cnameReplayFullURL' in options ) {
+                this.cnameReplayFullURL = options.cnameReplayFullURL === true;
+            }
             this.cnames.clear(); this.cnames.set('', '');
             this.cnameFlushTime = Date.now() + this.cnameMaxTTL * 60000;
         }

src/js/background.js

@@ -54,6 +54,7 @@ const µBlock = (( ) => { // jshint ignore:line
         cnameMaxTTL: 120,
         cnameReplayFullURL: false,
         cnameUncloak: true,
+        cnameUncloakProxied: false,
         consoleLogLevel: 'unset',
         debugScriptlets: false,
         debugScriptletInjector: false,
@@ -105,6 +106,7 @@ const µBlock = (( ) => { // jshint ignore:line
         cloudStorageSupported: vAPI.cloud instanceof Object,
         canFilterResponseData: typeof browser.webRequest.filterResponseData === 'function',
         canInjectScriptletsNow: vAPI.webextFlavor.soup.has('chromium'),
+        proxyDNS: undefined,
 
         // https://github.com/chrisaljoudi/uBlock/issues/180
         // Whitelist directives need to be loaded once the PSL is available

src/js/storage.js

@@ -143,6 +143,16 @@ self.addEventListener('hiddenSettingsChanged', ( ) => {
         cnameReplayFullURL: µBlock.hiddenSettings.cnameReplayFullURL,
         cnameUncloak: µBlock.hiddenSettings.cnameUncloak,
     });
+    // https://github.com/uBlockOrigin/uBlock-issues/issues/911
+    //   See uBO's onHeadersReceived() listener.
+    if (
+        µBlock.hiddenSettings.cnameUncloak === false ||
+        µBlock.hiddenSettings.cnameUncloakProxied === true
+    ) {
+        µBlock.proxyDNS = false;
+    } else {
+        µBlock.proxyDNS = undefined;
+    }
 });
 
 /******************************************************************************/

src/js/traffic.js

@@ -441,6 +441,17 @@ const onHeadersReceived = function(details) {
     const isRootDoc = requestType === 'main_frame';
     const isDoc = isRootDoc || requestType === 'sub_frame';
 
+    // https://github.com/uBlockOrigin/uBlock-issues/issues/911
+    //   We detect here whether network requests are proxied, and if so,
+    //   de-aliasing of hostnames will be disabled to avoid possible
+    //   DNS leaks.
+    if ( isRootDoc && µb.proxyDNS === undefined ) {
+        µb.proxyDNS = details.proxyInfo instanceof Object;
+        if ( µb.proxyDNS ) {
+            vAPI.Net.setOptions({ cnameUncloak: false });
+        }
+    }
+
     let pageStore = µb.pageStoreFromTabId(fctxt.tabId);
     if ( pageStore === null ) {
         if ( isRootDoc === false ) { return; }
@@ -454,11 +465,7 @@ const onHeadersReceived = function(details) {
     const responseHeaders = details.responseHeaders;
 
     if ( requestType === 'image' || requestType === 'media' ) {
-        return foilLargeMediaElement(
-            fctxt,
-            pageStore,
-            responseHeaders
-        );
+        return foilLargeMediaElement(fctxt, pageStore, responseHeaders);
     }
 
     if ( isDoc === false ) { return; }