Standard modules?

David Bruant bruant.d at gmail.com
Mon Jan 20 10:22:46 PST 2014


Le 20/01/2014 18:39, Brendan Eich a écrit :
> Allen Wirfs-Brock wrote:
>> It isn't clear that there much need for a global name for 
>> GeneratorFunction.  If you really eed to access it can always get it 
>> via:
>>
>>    (function *() {}).constructor
Do we even need (function *() {}).constructor !== Function?
(and [[FunctionKind]] "generator" and a different @@toStringTag and...)
What is its use case anyway? Creating a generator from source?
What's wrong with:
     eval("function*(x, y, z, ...yo){/*body*/}")
(and when the source isn't trusted, use indirect eval or soon enough the 
module loader)

> Does this present a hazard for CSP, which provides policy controls 
> governing Function?
It introduces something that probably should be disabled by default and 
re-enabled only if the unsafe-eval "origin" is present.
 From a security perspective, note that this is a marginal 
(non-existent) protection and the underlying capability (executing 
arbitrary code) remains since an attacker can download a JS interpreter 
to eval any string itself.

David


More information about the es-discuss mailing list