Putting `global` reference in specs
Mark S. Miller
erights at google.com
Fri Apr 17 15:40:26 UTC 2015
On Fri, Apr 17, 2015 at 8:33 AM, Andrea Giammarchi <
andrea.giammarchi at gmail.com> wrote:
> it's a no-go under CSP so it's as bad as `Function('return this')()`
Precisely. Which raises an interesting point. Does anyone know of a
*precise* statement of the actual threat model that CSP's "no eval" is
suppose to protect against?
The reason I ask is that I suspect that there's no valid reason for SES's
"eval", "confine", and "Function" to be disabled by CSP's no-eval mode.
Indeed, SES-with-eval is much safer for most purposes than JS-without-eval.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss