Harden capture against lazy-init tampering of Object.create and bind

cursoragent · cursoragent · commit 8f93c796a4a2 · 2026-05-28T18:09:47.000Z
Per Bugbot review feedback on PR #2729: even with Object.create(null) as the cache, the construction goes through globalThis.Object.create — which page JS can replace before transport construction runs, because Messaging is lazy on ContentFeature.messaging. Same concern applies to Function.prototype.bind used at capture time. - Switch capturedWebkitHandlers initializer from Object.create(null) to the { __proto__: null } literal, which is a syntactic construct rather than a method dispatch and so cannot be tampered with by page JS. - Stop calling .bind() at capture time. Store the handler object and the raw postMessage function as a { handler, postMessage } pair, and dispatch in wkSend via the captured ReflectApply (already imported from captured-globals.js, which captures Reflect.apply.bind(Reflect) at module-load time before any page JS can run). Adds two regression tests: - 'cache is not derived from a tampered Object.create' replaces Object.create with a tampered factory before the transport is constructed and asserts that the cache still rejects an unknown handler name with MissingHandler (rather than resolving a property injected by the tampered factory). - 'stores handler and postMessage as a separate pair' structurally asserts the capture stores raw references rather than a bound function, proving Function.prototype.bind is not on the capture or send path. (Direct Function.prototype.bind tampering in a Jasmine test breaks Jasmine itself because its spy machinery uses bind, so the structural assertion is the safe equivalent.) - 'dispatches through the captured handler with the correct `this`' asserts the send path preserves host-binding semantics via ReflectApply rather than a bare unbound call.
diff --git a/injected/unit-test/messaging-webkit.spec.js b/injected/unit-test/messaging-webkit.spec.js
@@ -120,4 +120,68 @@ describe('WebkitMessagingTransport', () => {
             delete Object.prototype.hostilePollutionHandler;
         }
     });
+
+    it('cache is not derived from a tampered `Object.create`', () => {
+        // Simulate page JS replacing Object.create *before* the transport is
+        // constructed (which can happen because Messaging is lazy on
+        // ContentFeature). The cache must still be a true null-prototype
+        // object, not one synthesised by the tampered Object.create.
+        const originalCreate = Object.create;
+        const tampered = jasmine.createSpy('tamperedObjectCreate').and.callFake(() => ({ polluted: true }));
+        Object.create = /** @type {any} */ (tampered);
+
+        try {
+            env = setupWebkit();
+            const transport = makeTransport();
+
+            // If the cache went through the tampered Object.create, looking up
+            // `polluted` would resolve to `true` (the tampered factory injected
+            // it as an own property). With `{ __proto__: null }` literal, it
+            // doesn't.
+            expect(() => transport.wkSend('polluted', {})).toThrowMatching(
+                (e) => e?.name === 'MissingHandler' || /Missing webkit handler/.test(e?.message ?? ''),
+            );
+        } finally {
+            Object.create = originalCreate;
+        }
+    });
+
+    it('stores handler and postMessage as a separate pair, not a single bound function', () => {
+        // Storing a `{ handler, postMessage }` pair rather than the result of
+        // `handler.postMessage.bind(handler)` is what lets wkSend dispatch via
+        // captured ReflectApply without going through Function.prototype.bind
+        // — which is critical because page JS can replace
+        // Function.prototype.bind before lazy transport construction
+        // (Messaging is lazy on ContentFeature.messaging). The structural
+        // check below proves the cache holds the raw references rather than a
+        // bound copy: a bound function would not be reference-equal to the
+        // original `postMessage`.
+        env = setupWebkit();
+        const transport = makeTransport();
+
+        const stored = transport.capturedWebkitHandlers.contentScopeScripts;
+
+        expect(stored.handler).toBe(env.handlers.contentScopeScripts);
+        expect(stored.postMessage).toBe(env.handlers.contentScopeScripts.postMessage);
+    });
+
+    it('dispatches through the captured handler with the correct `this` even without `.bind`', () => {
+        // Replace the host handler's postMessage with one that asserts on its
+        // `this`. If wkSend dispatched via a bare call (`postMessage(data)`)
+        // rather than ReflectApply against the captured handler, `this` would
+        // be wrong (undefined in strict mode) and the call would not preserve
+        // host-binding semantics.
+        env = setupWebkit();
+        const handler = env.handlers.contentScopeScripts;
+        const observed = { thisValue: /** @type {any} */ (undefined) };
+        handler.postMessage = function postMessage(/** @type {any} */ _data) {
+            observed.thisValue = this;
+            return Promise.resolve('{}');
+        };
+        const transport = makeTransport();
+
+        transport.wkSend('contentScopeScripts', { hello: 'world' });
+
+        expect(observed.thisValue).toBe(handler);
+    });
 });
diff --git a/messaging/lib/webkit.js b/messaging/lib/webkit.js
@@ -6,7 +6,13 @@
 import { MessagingTransport, MissingHandler } from '../index.js';
 import { isResponseFor, isSubscriptionEventFor } from '../schema.js';
 import { ensureNavigatorDuckDuckGo } from '../../injected/src/navigator-global.js';
-import { JSONparse, Error as _Error, ReflectDeleteProperty, objectDefineProperty } from '../../injected/src/captured-globals.js';
+import {
+    JSONparse,
+    Error as _Error,
+    ReflectApply,
+    ReflectDeleteProperty,
+    objectDefineProperty,
+} from '../../injected/src/captured-globals.js';
 
 /**
  * @example
@@ -25,9 +31,16 @@ export class WebkitMessagingTransport {
     /**
      * Null-prototype cache so a hostile page that pollutes `Object.prototype`
      * cannot supply a callable from there if `capture` ever misses a handler.
-     * @type {Record<string, any>}
+     *
+     * Uses the `{ __proto__: null }` literal rather than `Object.create(null)`
+     * because the latter is a method dispatch through `globalThis.Object`, which
+     * page JS could replace before this class field runs if transport
+     * construction is deferred (`Messaging` is lazy on `ContentFeature.messaging`).
+     * The `__proto__: null` literal is a syntactic construct, not method
+     * dispatch, so it always yields a true null-prototype object.
+     * @type {Record<string, { handler: any, postMessage: Function }>}
      */
-    capturedWebkitHandlers = Object.create(null);
+    capturedWebkitHandlers = /** @type {any} */ ({ __proto__: null });
 
     /**
      * @param {WebkitMessagingConfig} config
@@ -56,10 +69,12 @@ export class WebkitMessagingTransport {
      */
     wkSend(handler, data = {}) {
         const captured = this.capturedWebkitHandlers[handler];
-        if (typeof captured !== 'function') {
+        if (!captured || typeof captured.postMessage !== 'function') {
             throw new MissingHandler(`Missing webkit handler: '${handler}'`, handler);
         }
-        return captured(data);
+        // Use the captured ReflectApply so the send path doesn't go through
+        // any page-mutable function (`.call`, `.bind`, etc.).
+        return ReflectApply(captured.postMessage, captured.handler, [data]);
     }
 
     /**
@@ -108,20 +123,26 @@ export class WebkitMessagingTransport {
      * `window.webkit.messageHandlers` (e.g. by privacy hardening that nullifies
      * the namespace for site JS to reduce fingerprinting surface).
      *
+     * Stores the handler object and its `postMessage` function as a pair so
+     * `wkSend` can dispatch via the captured `ReflectApply` rather than calling
+     * `.bind()` here. `.bind` is a method on the page-mutable
+     * `Function.prototype` — if transport construction is deferred (`Messaging`
+     * is lazy on `ContentFeature.messaging`) page JS could replace
+     * `Function.prototype.bind` first and have the cache store an attacker-
+     * controlled function. Storing the unbound pair sidesteps that.
+     *
      * @param {string[]} handlerNames
      */
     captureWebkitHandlers(handlerNames) {
         const handlers = window.webkit.messageHandlers;
         if (!handlers) throw new MissingHandler('window.webkit.messageHandlers was absent', 'all');
         for (const webkitMessageHandlerName of handlerNames) {
-            if (typeof handlers[webkitMessageHandlerName]?.postMessage === 'function') {
-                /**
-                 * `bind` is used here to ensure future calls to the captured
-                 * `postMessage` have the correct `this` context
-                 */
-                const original = handlers[webkitMessageHandlerName];
-                const bound = handlers[webkitMessageHandlerName].postMessage?.bind(original);
-                this.capturedWebkitHandlers[webkitMessageHandlerName] = bound;
+            const handler = handlers[webkitMessageHandlerName];
+            if (typeof handler?.postMessage === 'function') {
+                this.capturedWebkitHandlers[webkitMessageHandlerName] = {
+                    handler,
+                    postMessage: handler.postMessage,
+                };
             }
         }
     }
