This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Currently isTrusted attribute in the Event is defined as readonly property: http://www.w3.org/TR/DOM-Level-3-Events/#interface-Event : ... readonly attribute boolean isTrusted; That defines a configurable property on the event prototype. As such the attribute could be trivially forged to mark synthetic events as trusted using Object.defineProperty to set the property on the event itself: var e = document.createEvent("MouseEvents"); Object.defineProperty(e, "isTrusted", { value: true }); alert(typeof e.isTrusted+" "+e.isTrusted); This fragment shows "boolean true" in Firefox 19 that implements the current spec. This makes isTrusted pretty useless in code like a popup blocker. For example, one can try to replace event.isTrusted check with: var getter = Object.getOwnPropertyDescriptor(Object.getPrototypeOf(document.createEvent("MouseEvents")), "isTrusted").get; getter.call(event) that extracts the getter from the prototype and apply it directly to the object. But then one has to consider that isTrusted could be redefined on the prototype as well since the property is configurable. To fix this and to make isTrusted really trustworthy the attribute should e changed from readonly to [Unforgeable]. See also https://bugzilla.mozilla.org/show_bug.cgi?id=637248
Thanks Igor! https://github.com/whatwg/dom/commit/559d92560a94b5bebc3fdc9f037f971af7e9beb5