From 3826197093cc61f6d596b0e74032729468ecfd3c Mon Sep 17 00:00:00 2001
From: velzie <velzie@velzie.rip>
Date: Fri, 2 Aug 2024 14:23:11 -0400
Subject: [PATCH] add failsafe

---
 src/client/shared/event.ts | 7 +++++++
 src/worker/fetch.ts        | 5 +++++
 2 files changed, 12 insertions(+)

diff --git a/src/client/shared/event.ts b/src/client/shared/event.ts
index de8ad59..176e578 100644
--- a/src/client/shared/event.ts
+++ b/src/client/shared/event.ts
@@ -53,12 +53,19 @@ export default function (client: ScramjetClient, self: Self) {
 
 	client.Proxy("EventTarget.prototype.addEventListener", {
 		apply(ctx) {
+			unproxy(ctx, client);
 			// if (ctx.args[0] === "message" && iswindow) debugger;
 			if (typeof ctx.args[1] === "function")
 				ctx.args[1] = wraplistener(ctx.args[1]);
 		},
 	});
 
+	client.Proxy("EventTarget.prototype.dispatchEvent", {
+		apply(ctx) {
+			unproxy(ctx, client);
+		},
+	});
+
 	// TODO: removeEventListener
 
 	if (!iswindow) return;
diff --git a/src/worker/fetch.ts b/src/worker/fetch.ts
index 8a22706..7544beb 100644
--- a/src/worker/fetch.ts
+++ b/src/worker/fetch.ts
@@ -45,6 +45,11 @@ export async function swfetch(
 
 	try {
 		const url = new URL(decodeUrl(request.url));
+		if (url.origin == new URL(request.url).origin) {
+			throw new Error(
+				"attempted to fetch from same origin - this means the site has obtained a reference to the real origin, aborting"
+			);
+		}
 
 		const headers = new Headers();
 		for (const [key, value] of request.headers.entries()) {