global object in strict mode

Mark S. Miller erights at google.com
Sat Aug 25 12:51:52 PDT 2012


On Sat, Aug 25, 2012 at 7:25 AM, Bill Frantz <frantz at pwpconsult.com> wrote:

> On 8/24/12 at 10:46, kris.kowal at cixar.com (Kris Kowal) wrote:
>
>  On Fri, Aug 24, 2012 at 10:41 AM, Brendan Eich <brendan at mozilla.org>
>> wrote:
>>
>>> I'm not sure what the problem is -- I read the old thread, and noticed
>>> the
>>> solution:
>>> var global = Function("return this")();
>>> This is good for any code mode, strict or non-strict. Does CSP ban
>>> Function
>>> as well as eval?
>>>
>>
>> CSP does forbid the Function constructor, by the edict “Code will not
>> be created from strings”.
>>
>> http://www.w3.org/TR/CSP/ Section 4.2 “If unsafe-eval is not allowed…”
>>
>
> Of course you can't do this. One can always write an interpreter in
> Javascript and interpret any string as code.
>
> What you can do is keep interpretation from using "forbidden" features by
> preventing them from being used by the interpreter, and therefore any
> language it is interpreting. You can not easily prevent such features from
> being used by strings being eval-ed.
>

Hi Bill, well put. This is precisely what the SES confining eval does -- it
denies access by default to any object that can cause any externally
visible effects. It therefore provides all the integrity that can be
provided by denying access to eval, but it does so while still dynamically
providing the full power of JS to compute computable functions, obviating
the need to write such an eval in JS. SES accepts a different subset of JS
than the eval-prohibiting CSP, and therefore breaks a different subset of
existing programs. It would be interesting to measure which subsetting is
more painful.



>
> Cheers - Bill
>
> ------------------------------**------------------------------**
> -----------
> Bill Frantz        | If the site is supported by  | Periwinkle
> (408)356-8506      | ads, you are the product.    | 16345 Englewood Ave
> www.pwpconsult.com |                              | Los Gatos, CA 95032
>
>
> ______________________________**_________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/**listinfo/es-discuss<https://mail.mozilla.org/listinfo/es-discuss>
>



-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120825/df86e1c3/attachment.html>


More information about the es-discuss mailing list