How to ensure that your script runs first in a webpage

Mark S. Miller erights at
Sat Feb 4 09:14:06 PST 2012

On Sat, Feb 4, 2012 at 3:48 AM, David Bruant <bruant.d at> wrote:

> The internalCompileExpr function uses "with", how will this code behave in
> ES6 since it's built on top of ES5 strict?

a) ES6 will still support non-strict code. An indirect ES6 eval (as used
here) will still eval non-strict as long as the string being evaluated
doesn't start with "use strict";. The strictness of the caller of an
indirect eval doesn't matter. So the existing SES code should work securely
on an ES6 system, as far as we can tell.

b) Even the lightweight scanning we're currently doing on ES5 to pick up
all potential free variable names will be unnecessary in ES6, since we can
just do "with (proxy) {".

c) The ES6 module loader should make all these with-games unnecessary
anyhow, since it gives us a principled approach for controlling the top
level scope of untrusted code. Long term, this is the real answer.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list