On non-rooted Android, user-installed CA certificates are honored by Chromium-based browsers natively and by Firefox only after enabling a hidden debug toggle ('Use third-party CA certificates' in Secret Settings), but are not trusted by native apps that use certificate pinning. This restricts MITM-DomainFronting to browser sessions on non-rooted devices and means standalone apps such as the Google Meet native client cannot be fronted without root access.

As of May 2026, at least four major CDN providers — Google (fronted via www.google.com), Fastly (fronted via www.python.org), Vercel (fronted via nextjs.org), and Netlify/CloudFront (fronted via kubernetes.io) — route requests based on the HTTP Host header regardless of the outer TLS SNI, enabling domain fronting across more than 20 distinct high-value destinations. The correct fronting SNI for each CDN is selected by inspecting the SAN list of the CDN edge certificate and choosing a co-hosted domain the censor permits.

README / Supported destinations evaluation

MITM-DomainFronting achieves fully client-side domain fronting without any server-side infrastructure by intercepting browser TLS via a user-generated personal CA, reading the plaintext HTTP Host header, then re-encrypting outbound connections to the CDN edge with a mismatched SNI. The private CA key never leaves the device, eliminating the traditional requirement for a proxy co-located inside a CDN's network and reducing operational cost to zero.

README / Mechanism description defense

The SNI-to-destination mapping in MITM-DomainFronting is hand-curated by inspecting CDN certificate SAN lists with no automatic discovery; the author explicitly flags that these mappings must be refreshed whenever a CDN changes its SAN list or edge topology. This maintenance burden is evidenced by 20 versioned releases published in under five months (through May 18, 2026), making the config effectively a continuously-updated snapshot of 'what CDN fronting pairs are valid from Iran this week.'

README / Limitations evaluation

MITM-DomainFronting reached 1.8k GitHub stars and 170 forks by May 2026 and was merged into Xray-core mainline (PR XTLS/Xray-core#4348), making it deployable via a standard v2rayN/v2rayNG JSON config with no separate install step. The author additionally notes that Gemini explicitly IP-blocks Iranian addresses, demonstrating that certain Google services enforce IP-geolocation blocking at the application layer — a layer that SNI-based CDN fronting cannot bypass regardless of the fronted SNI.

README / intro and limitations deployment