Standard modules?

Andy Wingo wingo at igalia.com
Mon Jan 20 23:46:09 PST 2014


On Mon 20 Jan 2014 18:39, Brendan Eich <brendan at mozilla.com> writes:

> Allen Wirfs-Brock wrote:
>> It isn't clear that there much need for a global name for
>> GeneratorFunction.  If you really eed to access it can always get it
>> via:
>>
>>    (function *() {}).constructor
>
> Does this present a hazard for CSP, which provides policy controls
> governing Function?

Relevant spec:

  http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#script-src

I guess CSP needs to be updated to have similar language for
GeneratorFunction as for Function.  As Allen mentions, though it doesn't
have a name it is accessible.

I just took a look at SM and V8 and it seems both of them respect CSP
for the GeneratorFunction constructor, though both are lacking test
cases.  Not sure how to trigger such a test case without a browser.

Andy


More information about the es-discuss mailing list