On Sat, Feb 4, 2012 at 3:48 AM, David Bruant <bruan...@gmail.com> wrote: [...]
> > The internalCompileExpr function uses "with", how will this code behave in > ES6 since it's built on top of ES5 strict? > a) ES6 will still support non-strict code. An indirect ES6 eval (as used here) will still eval non-strict as long as the string being evaluated doesn't start with "use strict";. The strictness of the caller of an indirect eval doesn't matter. So the existing SES code should work securely on an ES6 system, as far as we can tell. b) Even the lightweight scanning we're currently doing on ES5 to pick up all potential free variable names will be unnecessary in ES6, since we can just do "with (proxy) {". c) The ES6 module loader should make all these with-games unnecessary anyhow, since it gives us a principled approach for controlling the top level scope of untrusted code. Long term, this is the real answer. -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss