From: es-discuss [mailto:es-discuss-boun...@mozilla.org] On Behalf Of Andrea
Giammarchi
> Can anyone explain with few words what does this change actual mean for JS ?
It means that JS will now specify how it has been implemented already in every
browser, in a more rigorous way that allows the CSP spec to move away from [its
current very imprecise blockage][1] to something more precise. The current
imprecise blockage is implemented in various different ways in different
browsers:
- Different errors are thrown (so far I have seen EvalError and TypeError)
- The realm used to determine blocking differs between caller and callee
realms. That is, given a CSPed window with a non-CSPed iframe,
otherWindow.eval("foo"), is sometimes blocked and sometimes not. This will
allow us to specify that it is always blocked (by taking into account both the
caller and callee realms).
See https://github.com/tc39/ecma262/pull/451 for the exact spec impact.
[1]: https://w3c.github.io/webappsec-csp/#directive-script-src
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
