Open Bug 923846 Opened 7 years ago Updated 3 years ago

Firefox is mangling objects in unexpected ways (Worker example).

Categories

(Core :: DOM: Workers, defect, P5)

24 Branch
x86
macOS
defect

Tracking

()

UNCONFIRMED

People

(Reporter: pdp, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36

Steps to reproduce:

var augmentWorker = function (OriginalWorker) {
	var AugmentedWorker = function (script) {
		console.log(OriginalWorker.toString());
		
		this.worker = new OriginalWorker(script);
		
		console.log(this.worker.constructor.toString());
		
		this.worker.postMessage('hello');
	}
	
	AugmentedWorker.prototype.postMessage = function () {
		alert('wow');
	}
	
	return AugmentedWorker;
};

Worker = augmentWorker(Worker);

new Worker('insane');



Actual results:

postMessage from AugmentedWorker is called instead of the native Worker


Expected results:

The code should have called the native function. More over, there is a total mix of native worker object and the constructed js object.

This issue could potentially have security implications. I haven't researched it!
Caveat: Since I don't have as good an understanding of the internals of Firefox as our platform security folks do, I have bugged them to look at this too.

I don't think this is an outright security issue as the ability to override built-in objects and methods is a feature not a bug.  There is certainly alot of potential for abuse in changing how postMessage functionality works, but since it requires explicitly adding the code, or being vulnerable to XSS I doubt this would be considered a bug.
Component: Untriaged → DOM: Workers
Product: Firefox → Core
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.