Published 18 years 6 months ago • Last updated July 25, 2025 • ⏱️ < 1 min read
I've been hacking Firefox in my spare time and I thought that it had adequate protection against spoofing properties like document.domain. I was wrong :) This could turn into a browser exploit in future if the spoofed objects are accepted by Firefox internally (I don't think they are, but you never know ;) ).
There are two ways of spoofing document.domain, 1) You can define a getter which overwrite the call to document.domain and 2) You can overwrite the prototype
Here's how it works:-
document.__defineGetter__("domain", function() { return 'www.google.co.uk'}); alert(document.domain); // returns www.google.co.uk
document.__proto__ = String.__proto__; document.prototype = String.__proto__; document.domain = 'www.google.co.uk'; alert(document.domain); // returns www.google.co.uk
The first technique allows you to spoof nearly everything apart from the location object. I think the location provides some extra security checks and I'm currently investigating spoofing that as well.