On 8/24/12 at 10:46, kris.ko...@cixar.com (Kris Kowal) wrote:
On Fri, Aug 24, 2012 at 10:41 AM, Brendan Eich <bren...@mozilla.org> wrote:
I'm not sure what the problem is -- I read the old thread, and noticed the
solution:
var global = Function("return this")();
This is good for any code mode, strict or non-strict. Does CSP ban Function
as well as eval?
CSP does forbid the Function constructor, by the edict “Code will not
be created from strings”.
http://www.w3.org/TR/CSP/ Section 4.2 “If unsafe-eval is not allowed…”
Of course you can't do this. One can always write an interpreter
in Javascript and interpret any string as code.
What you can do is keep interpretation from using "forbidden"
features by preventing them from being used by the interpreter,
and therefore any language it is interpreting. You can not
easily prevent such features from being used by strings being eval-ed.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | If the site is supported by | Periwinkle
(408)356-8506 | ads, you are the product. | 16345
Englewood Ave
www.pwpconsult.com | | Los Gatos,
CA 95032
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
