Le 20/01/2014 18:39, Brendan Eich a écrit :
Allen Wirfs-Brock wrote:
It isn't clear that there much need for a global name for
GeneratorFunction. If you really eed to access it can always get it
via:
(function *() {}).constructor
Do we even need (function *() {}).constructor !== Function?
(and [[FunctionKind]] "generator" and a different @@toStringTag and...)
What is its use case anyway? Creating a generator from source?
What's wrong with:
eval("function*(x, y, z, ...yo){/*body*/}")
(and when the source isn't trusted, use indirect eval or soon enough the
module loader)
Does this present a hazard for CSP, which provides policy controls
governing Function?
It introduces something that probably should be disabled by default and
re-enabled only if the unsafe-eval "origin" is present.
From a security perspective, note that this is a marginal
(non-existent) protection and the underlying capability (executing
arbitrary code) remains since an attacker can download a JS interpreter
to eval any string itself.
David
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
