How can eval code not have a calling context?
Brendan Eich
brendan at mozilla.org
Fri Jun 20 14:44:53 PDT 2008
On Jun 19, 2008, at 8:20 PM, Mark S. Miller wrote:
>> Some browsers support indirect eval, allowing this:
>>
>> setTimeout(eval, 0, "alert('hi mom')")
>>
>> The window used is the one in which setTimeout was found along the
>> scope
>> chain, so
>>
>> myFrame.setTimeout(eval, 0, "alert(x)")
>>
>> should show myFrame.x, not the calling frame or window's x.
>>
>> This is not something patched Firefox major versions support.
>
>
> Thanks, this was very clarifying. Which of these cases would ES4
> consider to be uses of the eval operator, and which of the eval
> function?
No eval operator calls above ;-). No function calls to foo.eval where
foo is a window either. These are indirect eval calls via setTimeout.
We ban them in Firefox precisely because there is no calling context,
so we don't know the trust label of the caller.
/be
More information about the Es4-discuss
mailing list