On Fri, Apr 17, 2015 at 8:33 AM, Andrea Giammarchi <
andrea.giammar...@gmail.com> wrote:
> it's a no-go under CSP so it's as bad as `Function('return this')()`
>
Precisely. Which raises an interesting point. Does anyone know of a
*precise* statement of the actual threat model that CSP's "no eval" is
suppose to protect against?
The reason I ask is that I suspect that there's no valid reason for SES's
"eval", "confine", and "Function" to be disabled by CSP's no-eval mode.
Indeed, SES-with-eval is much safer for most purposes than JS-without-eval.
--
Cheers,
--MarkM
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
