From: es-discuss [mailto:es-discuss-boun...@mozilla.org] On Behalf Of Andrea Giammarchi
> Can anyone explain with few words what does this change actual mean for JS ? It means that JS will now specify how it has been implemented already in every browser, in a more rigorous way that allows the CSP spec to move away from [its current very imprecise blockage][1] to something more precise. The current imprecise blockage is implemented in various different ways in different browsers: - Different errors are thrown (so far I have seen EvalError and TypeError) - The realm used to determine blocking differs between caller and callee realms. That is, given a CSPed window with a non-CSPed iframe, otherWindow.eval("foo"), is sometimes blocked and sometimes not. This will allow us to specify that it is always blocked (by taking into account both the caller and callee realms). See https://github.com/tc39/ecma262/pull/451 for the exact spec impact. [1]: https://w3c.github.io/webappsec-csp/#directive-script-src _______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss