On Sat, Aug 25, 2012 at 7:25 AM, Bill Frantz <[email protected]> wrote:
> On 8/24/12 at 10:46, [email protected] (Kris Kowal) wrote: > > On Fri, Aug 24, 2012 at 10:41 AM, Brendan Eich <[email protected]> >> wrote: >> >>> I'm not sure what the problem is -- I read the old thread, and noticed >>> the >>> solution: >>> var global = Function("return this")(); >>> This is good for any code mode, strict or non-strict. Does CSP ban >>> Function >>> as well as eval? >>> >> >> CSP does forbid the Function constructor, by the edict “Code will not >> be created from strings”. >> >> http://www.w3.org/TR/CSP/ Section 4.2 “If unsafe-eval is not allowed…” >> > > Of course you can't do this. One can always write an interpreter in > Javascript and interpret any string as code. > > What you can do is keep interpretation from using "forbidden" features by > preventing them from being used by the interpreter, and therefore any > language it is interpreting. You can not easily prevent such features from > being used by strings being eval-ed. > Hi Bill, well put. This is precisely what the SES confining eval does -- it denies access by default to any object that can cause any externally visible effects. It therefore provides all the integrity that can be provided by denying access to eval, but it does so while still dynamically providing the full power of JS to compute computable functions, obviating the need to write such an eval in JS. SES accepts a different subset of JS than the eval-prohibiting CSP, and therefore breaks a different subset of existing programs. It would be interesting to measure which subsetting is more painful. > > Cheers - Bill > > ------------------------------**------------------------------** > ----------- > Bill Frantz | If the site is supported by | Periwinkle > (408)356-8506 | ads, you are the product. | 16345 Englewood Ave > www.pwpconsult.com | | Los Gatos, CA 95032 > > > ______________________________**_________________ > es-discuss mailing list > [email protected] > https://mail.mozilla.org/**listinfo/es-discuss<https://mail.mozilla.org/listinfo/es-discuss> > -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
