923846 - Firefox is mangling objects in unexpected ways (Worker example).

Status: RESOLVED INVALID

(Core :: DOM: Workers, defect, P5)

Description

[Petko D. (pdp) Petkov]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36

Steps to reproduce:

var augmentWorker = function (OriginalWorker) {
	var AugmentedWorker = function (script) {
		console.log(OriginalWorker.toString());
		
		this.worker = new OriginalWorker(script);
		
		console.log(this.worker.constructor.toString());
		
		this.worker.postMessage('hello');
	}
	
	AugmentedWorker.prototype.postMessage = function () {
		alert('wow');
	}
	
	return AugmentedWorker;
};

Worker = augmentWorker(Worker);

new Worker('insane');



Actual results:

postMessage from AugmentedWorker is called instead of the native Worker


Expected results:

The code should have called the native function. More over, there is a total mix of native worker object and the constructed js object.

This issue could potentially have security implications. I haven't researched it!

Comment 1

[Yvan Boily [:ygjb][:yvan]]

Caveat: Since I don't have as good an understanding of the internals of Firefox as our platform security folks do, I have bugged them to look at this too.

I don't think this is an outright security issue as the ability to override built-in objects and methods is a feature not a bug.  There is certainly alot of potential for abuse in changing how postMessage functionality works, but since it requires explicitly adding the code, or being vulnerable to XSS I doubt this would be considered a bug.

Comment 2

[Andrew Sutherland [:asuth] (he/him)]

Yes, it's fine, but not a great idea, for content to do this. For posterity, https://firefox-source-docs.mozilla.org/dom/scriptSecurity/index.html covers the mechanisms by which system code is able to avoid being confused by content code. Note that Worker.postMessage is not something used by system code and is strictly exposed for use by content.