Le 05/11/2012 22:11, Andrea Giammarchi a écrit :
I see security problems all over ... you own your function, you can
make it "pure" or serializable ... you don't know your function, I
believe there's no way you want that unknown function to be executed
in your own sandbox opening doors for any sort of attack, i.e. ...
this is pure, no outer scope access at all: function pure() {
function(){return this}.call(null).Function.prototype.serialize =
function() { /* boom */ } }
Interesting.
Assuming the own/don't own divide, there is a way to annotate
(symbol/(Weak)Set) functions that are known pure and export only these.
David
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
