- From: <bugzilla@jessica.w3.org>
- Date: Thu, 21 Feb 2013 09:20:46 +0000
- To: www-dom@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=21068
Bug ID: 21068
Summary: event.isTrusted should be [Unforgeable]
Classification: Unclassified
Product: WebAppsWG
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: DOM
Assignee: annevk@annevk.nl
Reporter: igor@mir2.org
QA Contact: public-webapps-bugzilla@w3.org
CC: mike@w3.org, www-dom@w3.org
Currently isTrusted attribute in the Event is defined as readonly property:
http://www.w3.org/TR/DOM-Level-3-Events/#interface-Event :
...
readonly attribute boolean isTrusted;
That defines a configurable property on the event prototype. As such the
attribute could be trivially forged to mark synthetic events as trusted using
Object.defineProperty to set the property on the event itself:
var e = document.createEvent("MouseEvents");
Object.defineProperty(e, "isTrusted", { value: true });
alert(typeof e.isTrusted+" "+e.isTrusted);
This fragment shows "boolean true" in Firefox 19 that implements the current
spec. This makes isTrusted pretty useless in code like a popup blocker. For
example, one can try to replace event.isTrusted check with:
var getter =
Object.getOwnPropertyDescriptor(Object.getPrototypeOf(document.createEvent("MouseEvents")),
"isTrusted").get;
getter.call(event)
that extracts the getter from the prototype and apply it directly to the
object. But then one has to consider that isTrusted could be redefined on the
prototype as well since the property is configurable.
To fix this and to make isTrusted really trustworthy the attribute should e
changed from readonly to [Unforgeable].
See also https://bugzilla.mozilla.org/show_bug.cgi?id=637248
--
You are receiving this mail because:
You are on the CC list for the bug.
Received on Thursday, 21 February 2013 09:20:54 UTC