On Fri, Apr 17, 2015 at 8:33 AM, Andrea Giammarchi < andrea.giammar...@gmail.com> wrote:
> it's a no-go under CSP so it's as bad as `Function('return this')()` > Precisely. Which raises an interesting point. Does anyone know of a *precise* statement of the actual threat model that CSP's "no eval" is suppose to protect against? The reason I ask is that I suspect that there's no valid reason for SES's "eval", "confine", and "Function" to be disabled by CSP's no-eval mode. Indeed, SES-with-eval is much safer for most purposes than JS-without-eval. -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss