How to modify the scope chain without `with` ?

Michał Wadas michalwadas at
Tue Feb 16 15:45:24 UTC 2016

2016-02-16 15:51 GMT+01:00 Coroutines <coroutines at>:

> Having the ability to derive from "global" (only in Node) and
> prepare an Object to run an function within as its global context
> would be an invaluable ability. (imo)

It seems like an obvious idea, but in fact it's almost impossible to secure
- consider `true.constructor.constructor("alert('XSS')")()`
ECMAScript lacks secure sandbox that would work in every browser, but such
limited scope manipulation is totally useless as "secure sandbox".

BTW, such limited scope manipulation is already possible, see how my
library works there -
(it heavily uses `eval`).

Sending again because of wrong "to".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list