TOCTOU bug. shadowRoot property modified _after_ node is added to the DOM tree. #11
Description
This is less important, given that shadowRoot is no longer a property in recent versions of Chrome.
The protections of the content script should still be put in place on objects and prototypes before the application has a chance to use them.
inputBox.parentNode.removeChild(inputBox);
inputBox = inputBox.cloneNode();
Object.defineProperty(inputBox, "shadowRoot", {configurable: false});
parentBox.appendChild(inputBox);
The page code above makes the shadowRoot property non configurable on the object before it is added to the DOM. The mutation observer in shadowcrypt (the one in charge of deleting that attribute) runs only after the element is added. Reconfiguration will fail.
Would be a good idea to make sure the properties modified have the expected flags before they are modified.