Spoofing Firefox protected objects

I've been hacking Firefox in my spare time and I thought that it had adequate protection against spoofing properties like document.domain. I was wrong :) This could turn into a browser exploit in future if the spoofed objects are accepted by Firefox internally (I don't think they are, but you never know ;) ).

There are two ways of spoofing document.domain, 1) You can define a getter which overwrite the call to document.domain and 2) You can overwrite the prototype

Here's how it works:-

<pre lang="javascript"> document.__defineGetter__("domain", function() { return 'www.google.co.uk'}); alert(document.domain); // returns www.google.co.uk </pre>

<pre lang="javascript"> document.__proto__ = String.__proto__; document.prototype = String.__proto__; document.domain = 'www.google.co.uk'; alert(document.domain); // returns www.google.co.uk </pre>

The first technique allows you to spoof nearly everything apart from the location object. I think the location provides some extra security checks and I'm currently investigating spoofing that as well.