On Mon, May 26, 2014 at 9:59 AM, Andrew Grieve <agri...@chromium.org> wrote: > From: https://issues.apache.org/jira/browse/CB-6746 > > Given that you can implement sendJavascript via PluginResults by just > eval()ing the results, maybe we could just deprecate the function?
And this comment just earned this proposal a -1. Just eval()ing the results is a completely awful idea because it assumes that we can trust the data being returned from the plugin, which security researchers have shown many, many times that you can't. That reason alone makes me want to keep this, although it's also bad in it's current form.
