[Bug 21068] New: event.isTrusted should be [Unforgeable]

https://www.w3.org/Bugs/Public/show_bug.cgi?id=21068

            Bug ID: 21068
           Summary: event.isTrusted should be [Unforgeable]
    Classification: Unclassified
           Product: WebAppsWG
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: DOM
          Assignee: annevk@annevk.nl
          Reporter: igor@mir2.org
        QA Contact: public-webapps-bugzilla@w3.org
                CC: mike@w3.org, www-dom@w3.org

Currently isTrusted attribute in the Event is defined as readonly property:

http://www.w3.org/TR/DOM-Level-3-Events/#interface-Event :

...
readonly attribute boolean        isTrusted;

That defines a configurable property on the event prototype. As such the
attribute could be trivially forged to mark synthetic events as trusted using
Object.defineProperty to set the property on the event itself:

var e = document.createEvent("MouseEvents"); 
Object.defineProperty(e, "isTrusted", { value: true }); 
alert(typeof e.isTrusted+" "+e.isTrusted);

This fragment shows "boolean true" in Firefox 19 that implements the current
spec. This makes isTrusted pretty useless in code like a popup blocker. For
example, one can try to replace event.isTrusted check with:

var getter =
Object.getOwnPropertyDescriptor(Object.getPrototypeOf(document.createEvent("MouseEvents")),
"isTrusted").get;

getter.call(event)

that extracts the getter from the prototype and apply it directly to the
object. But then one has to consider that isTrusted could be redefined on the
prototype as well since the property is configurable.

To fix this and to make isTrusted really trustworthy the attribute should e
changed from readonly to [Unforgeable].

See also https://bugzilla.mozilla.org/show_bug.cgi?id=637248

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Thursday, 21 February 2013 09:20:54 UTC