How to modify the scope chain without `with` ?
Coroutines
coroutines at gmail.com
Tue Feb 16 15:57:05 UTC 2016
On Tue, Feb 16, 2016 at 7:45 AM, Michał Wadas <michalwadas at gmail.com> wrote:
>
> 2016-02-16 15:51 GMT+01:00 Coroutines <coroutines at gmail.com>:
>>
>> Having the ability to derive from "global" (only in Node) and
>> prepare an Object to run an function within as its global context
>> would be an invaluable ability. (imo)
>
>
>
> It seems like an obvious idea, but in fact it's almost impossible to secure
> - consider `true.constructor.constructor("alert('XSS')")()`
> ECMAScript lacks secure sandbox that would work in every browser, but such
> limited scope manipulation is totally useless as "secure sandbox".
>
> BTW, such limited scope manipulation is already possible, see how my library
> works there -
> https://github.com/Ginden/reflect-helpers/blob/master/tests/closures.js#L14
> (it heavily uses `eval`).
>
> Sending again because of wrong "to".
>
Okay - different argument: if you can provide actual environment
inheritance you can avoid collisions assigning to the "global scope".
More information about the es-discuss
mailing list