21068 2013-02-21 09:20:46 +0000 event.isTrusted should be [Unforgeable] 2013-02-21 11:02:20 +0000 1 1 1 Unclassified WebAppsWG DOM unspecified All All RESOLVED FIXED P2 normal --- 1 igor annevk bruant.d mike www-dom public-webapps-bugzilla oldest_to_newest 83474 0 igor 2013-02-21 09:20:46 +0000 Currently isTrusted attribute in the Event is defined as readonly property: http://www.w3.org/TR/DOM-Level-3-Events/#interface-Event : ... readonly attribute boolean isTrusted; That defines a configurable property on the event prototype. As such the attribute could be trivially forged to mark synthetic events as trusted using Object.defineProperty to set the property on the event itself: var e = document.createEvent("MouseEvents"); Object.defineProperty(e, "isTrusted", { value: true }); alert(typeof e.isTrusted+" "+e.isTrusted); This fragment shows "boolean true" in Firefox 19 that implements the current spec. This makes isTrusted pretty useless in code like a popup blocker. For example, one can try to replace event.isTrusted check with: var getter = Object.getOwnPropertyDescriptor(Object.getPrototypeOf(document.createEvent("MouseEvents")), "isTrusted").get; getter.call(event) that extracts the getter from the prototype and apply it directly to the object. But then one has to consider that isTrusted could be redefined on the prototype as well since the property is configurable. To fix this and to make isTrusted really trustworthy the attribute should e changed from readonly to [Unforgeable]. See also https://bugzilla.mozilla.org/show_bug.cgi?id=637248 83477 1 annevk 2013-02-21 11:02:20 +0000 Thanks Igor! https://github.com/whatwg/dom/commit/559d92560a94b5bebc3fdc9f037f971af7e9beb5