Skip to content

Avoid interfering with our own snippets

Environment

Every snippet that is injected in a page, with every version of ABP.

How to reproduce

  1. visit https://webreflection.github.io/eyeo/snippets/seppuku.html?evil and read evil 1 and evil 2
  2. add the filter webreflection.github.io#$#abort-on-property-read Object.getOwnPropertyDescriptor
  3. reload the page and see errors in console, plus the evil 2 alert
  4. update the filter to tackle evil code 2: webreflection.github.io#$#abort-on-property-read Object.getOwnPropertyDescriptor; abort-on-property-read String.fromCharCode
  5. refresh the page, see now 3 errors in console, and the alerted evil 2 despite the filter

Observed behavior

We don't guard against our own primitives to intercept possible global variables, meaning each snippet using Object.getOwnPropertyDescriptor, or any other globally accessed property, will throw errors and never work as expected, if one of these global properties is targeted.

Expected behavior

There should be no more than 2 errors, and both evil 1 and evil 2 alerts should not appear.

Browser bugs (worked around)

https://bugzilla.mozilla.org/show_bug.cgi?id=1208775

Edited by Hubert Figuière