Bug 21068 - event.isTrusted should be [Unforgeable]
event.isTrusted should be [Unforgeable]
Status: RESOLVED FIXED
Product: WebAppsWG
Classification: Unclassified
Component: DOM
unspecified
All All
: P2 normal
: ---
Assigned To: Anne
public-webapps-bugzilla
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-21 09:20 UTC by Igor Bukanov
Modified: 2013-02-21 11:02 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Igor Bukanov 2013-02-21 09:20:46 UTC
Currently isTrusted attribute in the Event is defined as readonly property:

http://www.w3.org/TR/DOM-Level-3-Events/#interface-Event :

...
readonly attribute boolean        isTrusted;

That defines a configurable property on the event prototype. As such the attribute could be trivially forged to mark synthetic events as trusted using Object.defineProperty to set the property on the event itself:

var e = document.createEvent("MouseEvents"); 
Object.defineProperty(e, "isTrusted", { value: true }); 
alert(typeof e.isTrusted+" "+e.isTrusted);

This fragment shows "boolean true" in Firefox 19 that implements the current spec. This makes isTrusted pretty useless in code like a popup blocker. For example, one can try to replace event.isTrusted check with:

var getter = Object.getOwnPropertyDescriptor(Object.getPrototypeOf(document.createEvent("MouseEvents")), "isTrusted").get;

getter.call(event)

that extracts the getter from the prototype and apply it directly to the object. But then one has to consider that isTrusted could be redefined on the prototype as well since the property is configurable.

To fix this and to make isTrusted really trustworthy the attribute should e changed from readonly to [Unforgeable].

See also https://bugzilla.mozilla.org/show_bug.cgi?id=637248