On Jun 19, 2008, at 8:20 PM, Mark S. Miller wrote: >> Some browsers support indirect eval, allowing this: >> >> setTimeout(eval, 0, "alert('hi mom')") >> >> The window used is the one in which setTimeout was found along the >> scope >> chain, so >> >> myFrame.setTimeout(eval, 0, "alert(x)") >> >> should show myFrame.x, not the calling frame or window's x. >> >> This is not something patched Firefox major versions support. > > > Thanks, this was very clarifying. Which of these cases would ES4 > consider to be uses of the eval operator, and which of the eval > function?
No eval operator calls above ;-). No function calls to foo.eval where foo is a window either. These are indirect eval calls via setTimeout. We ban them in Firefox precisely because there is no calling context, so we don't know the trust label of the caller. /be _______________________________________________ Es4-discuss mailing list Es4-discuss@mozilla.org https://mail.mozilla.org/listinfo/es4-discuss