global object in strict mode

Bill Frantz frantz at pwpconsult.com
Sat Aug 25 07:25:56 PDT 2012


On 8/24/12 at 10:46, kris.kowal at cixar.com (Kris Kowal) wrote:

>On Fri, Aug 24, 2012 at 10:41 AM, Brendan Eich <brendan at mozilla.org> wrote:
>>I'm not sure what the problem is -- I read the old thread, and noticed the
>>solution:
>>var global = Function("return this")();
>>This is good for any code mode, strict or non-strict. Does CSP ban Function
>>as well as eval?
>
>CSP does forbid the Function constructor, by the edict “Code will not
>be created from strings”.
>
>http://www.w3.org/TR/CSP/ Section 4.2 “If unsafe-eval is not allowed…”

Of course you can't do this. One can always write an interpreter 
in Javascript and interpret any string as code.

What you can do is keep interpretation from using "forbidden" 
features by preventing them from being used by the interpreter, 
and therefore any language it is interpreting. You can not 
easily prevent such features from being used by strings being eval-ed.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | If the site is supported by  | Periwinkle
(408)356-8506      | ads, you are the product.    | 16345 
Englewood Ave
www.pwpconsult.com |                              | Los Gatos, 
CA 95032



More information about the es-discuss mailing list