diff --git a/src/client/shared/event.ts b/src/client/shared/event.ts
index de8ad59..176e578 100644
--- a/src/client/shared/event.ts
+++ b/src/client/shared/event.ts
@@ -53,12 +53,19 @@ export default function (client: ScramjetClient, self: Self) {
 
 	client.Proxy("EventTarget.prototype.addEventListener", {
 		apply(ctx) {
+			unproxy(ctx, client);
 			// if (ctx.args[0] === "message" && iswindow) debugger;
 			if (typeof ctx.args[1] === "function")
 				ctx.args[1] = wraplistener(ctx.args[1]);
 		},
 	});
 
+	client.Proxy("EventTarget.prototype.dispatchEvent", {
+		apply(ctx) {
+			unproxy(ctx, client);
+		},
+	});
+
 	// TODO: removeEventListener
 
 	if (!iswindow) return;
diff --git a/src/worker/fetch.ts b/src/worker/fetch.ts
index 8a22706..7544beb 100644
--- a/src/worker/fetch.ts
+++ b/src/worker/fetch.ts
@@ -45,6 +45,11 @@ export async function swfetch(
 
 	try {
 		const url = new URL(decodeUrl(request.url));
+		if (url.origin == new URL(request.url).origin) {
+			throw new Error(
+				"attempted to fetch from same origin - this means the site has obtained a reference to the real origin, aborting"
+			);
+		}
 
 		const headers = new Headers();
 		for (const [key, value] of request.headers.entries()) {