Are undetectable changes to a native prototype possible? · 2011-07-11 14:27 by Wladimir Palant
Function.toSource() being the only information leaks (bug 650299) one only needs to wrap these functions as well to get undetectable function proxies. However, the remaining problem is manipulating
Window.prototype.open so that it actually returns my wrapper and the webpage can neither detect nor revert this manipulation.
Object.defineProperty() looks very promising, you can actually set a value for
Window.prototype.open that won’t be deletable. However, the results are still inconsistent. It seems that the behavior for “real” methods of native prototypes is this:
- Properties are writable, they can be set to a different value.
- They are configurable, so deleting a property actually does something.
- A deleted method is automatically “recovered”, you get a new instance of the same function (comparing it to the original value yields in “not equal”).
It’s that last feature that apparently cannot be emulated. It might be possible to use Object.watch() but the webpage can always call
Object.unwatch() to kill my handler and to detect the manipulation then. __noSuchMethod__ doesn’t have the desired effect, it will only cover calls to deleted methods but not accessing a method property without calling it. Is there anything that I am missing?
Commenting is closed for this article.