Updates:
Status: Fixed
Comment #5 on issue 943 by [email protected]: valija breaks cajita's
setBadFreeVariable rule
http://code.google.com/p/google-caja/issues/detail?id=943
ES5/3 (our valija replacement) and SES5/3 (our cajita replacement) both
follow ES5/strict rules on this issue for scripts. Top level declarations
are ok, and enhance that sandbox's emulated global. Top level assignments
to undeclared variables are not ok. The reason SES5/3 *scripts* can mutate
its globals is that our new SES model is that script code legitimately
operates with the authority of its frame or sandbox, while SES eval code[*]
has a frozen root as its virtual global. In both cases, all SES primordials
other than the apparent global are immutable.
[*] Synchronous eval won't be supported until full SES on full
ES5-supporting browsers. eval.async can and should be supported on all
browsers ES5/3 runs on, by returning a promise and doing a round trip to
the translation service. In both cases, in an SES (or SES5/3) environment,
evaled code should be given only a frozen root.
