Putting `global` reference in specs

Mark S. Miller erights at google.com
Fri Apr 17 15:40:26 UTC 2015

On Fri, Apr 17, 2015 at 8:33 AM, Andrea Giammarchi <
andrea.giammarchi at gmail.com> wrote:

> it's a no-go under CSP so it's as bad as `Function('return this')()`

Precisely. Which raises an interesting point. Does anyone know of a
*precise* statement of the actual threat model that CSP's "no eval" is
suppose to protect against?

The reason I ask is that I suspect that there's no valid reason for SES's
"eval", "confine", and "Function" to be disabled by CSP's no-eval mode.
Indeed, SES-with-eval is much safer for most purposes than JS-without-eval.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20150417/d3512e75/attachment.html>

More information about the es-discuss mailing list