global object in strict mode

Mark S. Miller erights at google.com
Fri Aug 24 11:15:56 PDT 2012


On Fri, Aug 24, 2012 at 10:51 AM, Brendan Eich <brendan at mozilla.org> wrote:

> Kris Kowal wrote:
>
>> On Fri, Aug 24, 2012 at 10:41 AM, Brendan Eich<brendan at mozilla.org>
>>  wrote:
>>
>>> I'm not sure what the problem is -- I read the old thread, and noticed
>>> the
>>> solution:
>>> var global = Function("return this")();
>>> This is good for any code mode, strict or non-strict. Does CSP ban
>>> Function
>>> as well as eval?
>>>
>>
>> CSP does forbid the Function constructor, by the edict “Code will not
>> be created from strings”.
>>
>> http://www.w3.org/TR/CSP/ Section 4.2 “If unsafe-eval is not allowed…”
>>
>
> Sure, makes sense (I think I even knew that once -- have to catch up on
> CSP when I have some time, next millennium :-P).
>
> Is it common to want an expression, usable in any context (non-strict,
> strict, CSP, deep in a function nest with potentially many names in scope,
> some of which might shadow globals), that evaluates to "the current global
> object"?
>
> JS libraries do things like
>
> (funciton (global) {
>   // all the code here
> })(this);
>
> and that works, as well as the brute force
>
> var global = this;
>
> approach. But one must take care not to shadow the name.
>
> Could ES6 add a predefined global property named 'global', set to
> reference the global object? I suppose maybe - it would be writable or (to
> use WebIDL's term) [Replaceable]. We can't just make a const global, we
> will break extant code.
>
> Is this global global important to standardize?


It is important to not standardize. The global provides essentially the
full authority provided by that frame. CSP restricts eval and Function
presumably for some security reason ;). ES5/strict prevents ambient access
to the global because it leads both to bad software engineering and to
security holes. SES makes use of that inability to provide a virtualized
global to untrusted code executing within the frame. SES virtualizes
Function and eval at the same time, which prevents backdoor access to the
real global.



>
>
> /be
>
> ______________________________**_________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/**listinfo/es-discuss<https://mail.mozilla.org/listinfo/es-discuss>
>



-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120824/3f705c4c/attachment-0001.html>


More information about the es-discuss mailing list