How to modify the scope chain without `with` ?

Coroutines coroutines at
Tue Feb 16 15:57:05 UTC 2016

On Tue, Feb 16, 2016 at 7:45 AM, Michał Wadas <michalwadas at> wrote:
> 2016-02-16 15:51 GMT+01:00 Coroutines <coroutines at>:
>> Having the ability to derive from "global" (only in Node) and
>> prepare an Object to run an function within as its global context
>> would be an invaluable ability. (imo)
> It seems like an obvious idea, but in fact it's almost impossible to secure
> - consider `true.constructor.constructor("alert('XSS')")()`
> ECMAScript lacks secure sandbox that would work in every browser, but such
> limited scope manipulation is totally useless as "secure sandbox".
> BTW, such limited scope manipulation is already possible, see how my library
> works there -
> (it heavily uses `eval`).
> Sending again because of wrong "to".

Okay - different argument: if you can provide actual environment
inheritance you can avoid collisions assigning to the "global scope".

More information about the es-discuss mailing list