This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 21068 - event.isTrusted should be [Unforgeable]
Summary: event.isTrusted should be [Unforgeable]
Status: RESOLVED FIXED
Alias: None
Product: WebAppsWG
Classification: Unclassified
Component: DOM (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal
Target Milestone: ---
Assignee: Anne
QA Contact: public-webapps-bugzilla
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-21 09:20 UTC by Igor Bukanov
Modified: 2013-02-21 11:02 UTC (History)
3 users (show)

See Also:


Attachments

Description Igor Bukanov 2013-02-21 09:20:46 UTC
Currently isTrusted attribute in the Event is defined as readonly property:

http://www.w3.org/TR/DOM-Level-3-Events/#interface-Event :

...
readonly attribute boolean        isTrusted;

That defines a configurable property on the event prototype. As such the attribute could be trivially forged to mark synthetic events as trusted using Object.defineProperty to set the property on the event itself:

var e = document.createEvent("MouseEvents"); 
Object.defineProperty(e, "isTrusted", { value: true }); 
alert(typeof e.isTrusted+" "+e.isTrusted);

This fragment shows "boolean true" in Firefox 19 that implements the current spec. This makes isTrusted pretty useless in code like a popup blocker. For example, one can try to replace event.isTrusted check with:

var getter = Object.getOwnPropertyDescriptor(Object.getPrototypeOf(document.createEvent("MouseEvents")), "isTrusted").get;

getter.call(event)

that extracts the getter from the prototype and apply it directly to the object. But then one has to consider that isTrusted could be redefined on the prototype as well since the property is configurable.

To fix this and to make isTrusted really trustworthy the attribute should e changed from readonly to [Unforgeable].

See also https://bugzilla.mozilla.org/show_bug.cgi?id=637248