Thanks,
There is an option to allow/disallow some aspects of the language, and you can
provide the local variables you want to the expression.
Claude
From: Jordan Harband
Sent: Tuesday, June 19, 2018 10:59 PM
To: doodad-js Admin
Cc: es-discuss
Subject: Re: Proposal: safeEval
What
What value does this add, when you can already do `function
safeEval(...args) { return Function(...args)(); }`, or similar?
On Tue, Jun 19, 2018 at 7:29 PM, doodad-js Admin wrote:
> Hi,
>
>
>
> I take a chance to valorize “eval” again by proposing “safeEval”.
>
>
>
> function
Hi,
I take a chance to valorize "eval" again by proposing "safeEval".
function safeEval(expression, [locals], [options]) {
..
};
So that you can:
safeEval("1 + a", {a: 2});// returns "3"
safeEval("1 + a()", {a: function() {return 2}}, {allowFunctions:
Aha! Thanks. I think I get what you mean now.
Let’s say I have this CSP:
```
content-security-policy: script-src 'nonce-foo'
```
And I have this in my document:
```
import 'data:text/javascript,console.log(`bar`)';
```
Then the browser could theoretically ignore the absence of 'data:' in
Sorry for the confusion.
Nonces are just for elements with url attributes.
I mentioned nonces to point out that strict CSP policies can allow some
data: urls without having to explicitly whitelist or hash the entire
content.
Separately I wanted to say that there is no incompatibility between
Mike: Ah, cool, I didn’t realize that — I had thought that nonces were just
for whitelisting inline script elements. How does one specify a nonce in
association with a data URI? I’m having trouble turning up a description /
example of how it would work. Or possibly I’m misunderstanding this quite
CSP with data URIs is possible via nonce sources. For data: module
descriptors browsers could safely skip the CSP check since it doesn't allow
XSS unless one can already specify an import statement which typically
means one can specify arbitrary JS. That argument doesn't extend to the
import
Andrea: That is a really interesting approach. I would point out that using
data URIs for js means the `data:` scheme has to be a permitted source for
script-src. This allowance has roughly the same security implications as
permitting `unsafe-eval`. I know most people aren’t using CSPs yet, but
> I think these are all nice to have features, but I also think we have all
> the primitives we need to make it happen via pre-processing.
>
>>
I meant even synchronously, with a pre-processor that replace the imported
module with
'data:text/javascript,' +
sorry, I meant:
JSON.stringify('data:text/javascript,' + moduleContentAfterTreeShaking);
On Tue, Jun 19, 2018 at 10:09 PM, Andrea Giammarchi <
andrea.giammar...@gmail.com> wrote:
>
> I think these are all nice to have features, but I also think we have all
>> the primitives we need to make it
beside the joke, I think there's already everything we need to bundle
modules, either synchronously, or asynchronously within a top level async
execution.
This is an example:
```js
const esm = (realm =>
js => realm.get(js = esm.cache[js]) ||
realm.set(js, import(
On Tue, Jun 19, 2018 at 3:48 PM Jamie wrote:
> I think having an inline module format would help make the composition of
> build tools much easier.
>
> Right now we have an ecosystem where everyone builds libraries into
> bundles using tools like Parcel, Rollup, Browserify, and Webpack. These
>
I think having an inline module format would help make the composition of
build tools much easier.
Right now we have an ecosystem where everyone builds libraries into bundles
using tools like Parcel, Rollup, Browserify, and Webpack. These create
output which get recursively pulled into similar
we need to go deeper ...
```js
(async () => {
const {getPersonType} = await import(`data:application/javascript,
export function getPersonType(person) {
switch (person) {
case 'Teacher': return 'A teacher';
case 'Director': return 'A director';
}
}
`)
console.log(
Few thoughts:
1. Almost all of my actual use cases for inline modules have been
solvable via just creating a new file.
2. If you need a file for a bunch of constants, that's not really a
problem, and in my experience is more maintainable.
3. If you need to group those constants, you have a few
15 matches
Mail list logo
