Thanks for your response. I'm surprised that I need to delete global host objects in order to get an empty environment. JavaScript is intended to be used as the scripting language for a wide variety of situations. One such situation is executing third party scripts in a secured sandbox. By requiring me to delete a known set of globals before executing a third party script there is a potential security hole. I might miss deleting one global especially if more default globals are added in the future.
The C implementations of JavaScript do not have this issue. When an engine is created it is empty and it is up to me to add any host object that I want. I'll never be surprised by any host objects being added by default. Peter On 2014-01-20, at 10:24 PM, "A. Sundararajan" <[email protected]> wrote: > Hi, > > You can start your application with the System property > > -Dnashorn.args=--no-java > > This will avoid initializing properties needed for Java access ("Packages", > "Java", "java", "javax" etc.). Note that the script can access Java > methods/properties of objects explicitly exposed via > javax.script.ScriptContext/Bindings (if any). If those are also empty, then > global scope gets nothing from Java. > > Note this still defines certain extensions like 'load' , 'print' in global > scope as well as "context" (required per jsr223 spec). If you want, you can > manually delete these properties or assign undefined to these by writing a > simple init script that is loaded upfront - before running the actual script. > > Hope this helps, > -Sundar > > On Tuesday 21 January 2014 10:45 AM, Peter Michaux wrote: >> Hi, >> >> When I create a new Nashorn script engine, it seems to come preloaded with >> globals like `print` which are not part of the ECMAScript standard. How can >> I create an "empty" environment that only has the globals defined in the >> standard? >> >> Thanks, >> Peter >
