Implement custom security for Events

[david0xd]

Initial proposal for wrapper implementation:
During the hardening endowments work it is discovered that AbortController and AbortSignal endowments are exposing more functionalities that might be a security concern. Particularly the major concern was the exposure of the Event-related API.

This ticket needs to focus on making Events secure, then AbortSignal and AbortController will not be exposing security risks anymore.

Acceptance criteria is taken from Gal's comment below: #1132 (comment)

[weizman]

I spent around an hour trying to invoke any type of an event just to see if it actually leaks DOM/real global object inside a snap sandboxed iframe and was simply not able to, so this vector of attack seems to be rather safe IMO.

Nevertheless, it is recommended that when creating the sandbox, to limit the events from leaking sensitive objects "just in case". This can be done by overriding own properties of prototypes of all existing events.

I mapped out all the different prototypes that inherit from Event and looked them up for properties that leak such sensitive objects. Based on that, I then created some code that iterates them and blocks them from leakage.

The result is:

(function(global){
    const map = {
        "UIEvent": [
            "view"
        ],
        "MutationEvent": [
            "relatedNode"
        ],
        "MessageEvent": [
            "source"
        ],
        "FocusEvent": [
            "relatedTarget"
        ],
        "MouseEvent": [
            "relatedTarget",
            "fromElement",
            "toElement"
        ],
        "TouchEvent": [
            "targetTouches",
            "touches"
        ],
        "Event": [
            "target",
            "currentTarget",
            "srcElement",
            "composedPath"
        ]
    };

    for (const event in map) {
        const props = map[event];
        for (const prop of props) {
            Object.defineProperty(global[event].prototype, prop, {
                value: undefined, configurable: false, writable: false,
            });
        }
    }
}(globalThis));

I wish this could have been done automatically at runtime, but that's difficult because:

1. Hard to climb down the proto chain from Event to see which protos inherit from it.
2. Even if accomplished, even harder to tell which own properties of those protos leak sensitive objects.
3. Since some of the above implement their own properties that leak, patching the father (Event) won't work here.

This code should be integrated into snaps arch, to where snaps creates the iframe, by calling it with the instance of the window proxy object of the sandboxed iframe right after is attached to DOM.

I of course am open to better suggestions on this 🙏

(also the descriptor in the example can be anything else - underfined, throw an exception, return a proxy instead of the real window - it's up to you. I feel ok with undefined)

As far as I understand, implementing this will require no special treatment to AbortSignal and AbortController