eval operator with != 1 arguments

Kevin Curtis kevinc1846 at googlemail.com
Fri Jan 8 19:32:05 PST 2010


A bit off topic:
FF had a second argument to eval which enabled a form of sandboxing
but was removed due to security issues - peeking into closures:
https://bugzilla.mozilla.org/show_bug.cgi?id=442333

With ES5 strict mode and the ability to freeze objects could this eval
be 'resurrected' (once again) to meet the sandboxing usecase (see
comment #20 in the bug report).
This revised eval could be the basis for a module system. The second
argument acts as a dependency injection container for modules.
// ES5 strict mode only
// second context arg must be frozen
const mymod = eval("...", myglobal);

Maybe the second arg should be a string which itself is eval'ed in a
clean context to return a frozen global object (or a least one where
the primordials are frozen). Thus the second arg could not be used to
peek into existing objects which are hiding private vars via closures.
Modules using this eval would exist in a more restrictive world than
even ES5 strict mode - but maybe that is a good thing.


More information about the es-discuss mailing list