fix: guard handshake and webpack's defineProperty

scripts/webpack-protect-bootstrap-plugin.js

@@ -18,7 +18,7 @@ class WebpackProtectBootstrapPlugin {
         'installedModules = {};',
         `installedModules = ${NULL_OBJ}; \
          for (let i = 0, c, str = "cdmnoprt"; i < str.length && (c = str[i++]);) \
-           defineProperty(${requireFn}, c, { value: undefined, writable: true });`,
+           defineProperty(${requireFn}, c, { ${NULL_PROTO}, value: undefined, writable: true });`,
       ]]));
       hooks.moduleObj.tap(NAME, src => replace(src, [[
         'exports: {}',
@@ -31,7 +31,7 @@ class WebpackProtectBootstrapPlugin {
       hooks.requireExtensions.tap(NAME, src => replace(src, [
         ["(typeof Symbol !== 'undefined' && Symbol.toStringTag)", '(true)'],
         ['Symbol.toStringTag', 'toStringTag'],
-        ['Object.defineProperty', 'defineProperty'],
+        [/Object\.(defineProperty\([^){\n]+{)/g, `$1${NULL_PROTO},`],
         ['Object.create(null)', NULL_OBJ],
         ['for(var key in value)', 'for(const key in value)'],
         ['function(key) { return value[key]; }.bind(null, key)',

src/injected/content/inject.js

@@ -48,7 +48,6 @@ if (IS_FIREFOX) {
   }, true);
 } else {
   safeDefineProperty(global, VAULT_WRITER, {
-    configurable: false,
     value: tellBridgeToWriteVault,
   });
 }
@@ -74,8 +73,9 @@ export function injectPageSandbox(contentId, webId) {
    * Instead, we'll send the ids via a temporary handshakeId event, to which the web-bridge
    * will listen only during its initial phase using vault-protected DOM methods. */
   const handshakeId = getUniqIdSafe();
-  const handshaker = () => {
+  const handshaker = evt => {
     pageInjectable = true;
+    evt::stopImmediatePropagation();
     bindEvents(contentId, webId, bridge, cloneInto);
     fireBridgeEvent(handshakeId + process.env.HANDSHAKE_ACK, [webId, contentId], cloneInto);
   };