From d4bb26935a83085dc4bbddada884c86092dfc2b7 Mon Sep 17 00:00:00 2001
From: peter.hornak <peter.hornak@kiwi.com>
Date: May 19 2020 07:23:14 +0000
Subject: Bugfix: Prevent page scripts from deleting wrappings


Previously, page script can get to the original code:

    console.log(Date.now());
    delete Date.now;
    console.log(Date.now());

Note that this commit increases the fingerprintability of the browser:

    Date.now = () => 1;
    console.log(Date.now());

Without our wrapping, Date.now() returns 1 while with this commit, the
code returns the wrapped value.

See also:
Michael Schwarz, Florian Lackner, and Daniel Gruss. 2019.
JavaScript Template Attacks: Automatically Inferring Host Information
for Targeted Exploits. In Network and Distributed Systems Security
  (NDSS) Symposium.

---

diff --git a/common/wrapping.js b/common/wrapping.js
index 5561876..c9598f0 100644
--- a/common/wrapping.js
+++ b/common/wrapping.js
@@ -73,6 +73,7 @@ var build_code = function(wrapper, ...args) {
 				${wrapper.wrapper_prototype});
 		`
 	}
+	code += `Object.freeze(${wrapper.parent_object}.${wrapper.parent_object_property});`;
 	return enclose_wrapping(code, ...args);
 };
 var inject_code = injectScript;