Web Worker ran from a different source than the page passed (worker-scope spoof injection)

br.worker_source_rewritten  ·  convicts

browserlayer
artifactcategory
1evaders caught

What it catches

The FUNDAMENTAL realm-coherence catch — it convicts worker-scope spoof injection by its DATA signature rather than the constructor's structural tells, so it is robust to the entire Worker-constructor-disguise ladder. A real new Worker(url) runs in a WorkerGlobalScope whose self.location.href EQUALS the blob URL the page passed; to inject a spoof into worker scope a tool MUST rewrite the worker source (prepend the navigator override + importScripts the original), which produces a NEW blob URL, so the worker is constructed from a different url → self.location.href != the passed url. The collector captures the URL it passes, has the worker report self.location.href, and fires on mismatch. This catches WORKER_WRAP (plain-function wrap), WORKER_PROXY (Proxy-over-native, toString reflects '[native code]') AND WORKER_PROXY_FIX (Proxy + prototype.constructor repair, which defeats BOTH invariants of br.worker_constructor_tampered) — all three rewrite the source, none can keep the same URL while changing the code. v0.74.47 GROUNDED LIVE: WORKER_PROXY_FIX defeats worker_divergence + worker_constructor_tampered (the prior rung) but trips this; WORKER_WRAP and WORKER_PROXY also trip it; plain STEALTH and real Chromium (worker runs the page's own blob unchanged → href == passed url) do NOT — FP-safe. FP-safe ACTIVE by construction: a real browser, a legit CDP override and an extension (isolated world, does not wrap window.Worker) all leave the worker's source URL equal to the one the page created. Residual (next rung, documented): the injected worker code could ALSO override WorkerLocation.prototype.href to echo the original url — but that leaves a non-native WorkerLocation.href in worker scope, a further self-incriminating tamper. Complements br.worker_constructor_tampered (which catches the constructor disguise directly); this catches the injection's unavoidable consequence.

Signals it reads

browser.worker_source_rewritten

How it fires

present

Evaders it caught 1

Bypassed by 10

Frontier evaders that reach the detector uncaught (scored only suspicious, defeating every convicting tell) — this check is not one that stops them. The red-team frontier this detection still has to convict.

← all detections