On Dec 1, 2009, at 19:43, Mike Stay wrote:
The JS_EvaluateScript function is effectively granting Flash code the authority to execute the "eval" function. However, if this function *literally* invoked "eval" on the provided script, then a page author could rebind that symbol to a less powerful definition, constraining the authority of Flash code to cause changes to the page.
I note that this scheme does not permit discriminating between callers on any given page, since there is only one global 'eval'. In particular, you can't give different authority to multiple embedded objects on the page.
-- Kevin Reid <http://switchb.org/kpreid/>
