Updates:
Status: PendingFurtherInfo
Labels: Type-FeatureRequest
Comment #1 on issue 1258 by [email protected]: V8 should expose an API
to disable eval and other APIs that convert strings to code
http://code.google.com/p/v8/issues/detail?id=1258
I have scanned the specification only, so my questions might be a little
naïve.
It says that the restrictions are *per resource*, but calls the resource a
*document*. Does that mean an HTML(or similar) document, or does it cover
individual resources in a page (e.g., a single JavaScript file)?
If the former, it seems to me that this feature should be per context (per
document loaded), e.g., registering a function that logs a violation and
returns whether to proceed or not (for report-only mode).
If it's per single resource, it's less obvious how it works. If a
restricted code is loaded, it can't use "eval", but would it be able to
call another function from outside that resource that then calls "eval"? Or
is eval prevented for any function called (transitively) from code from the
restricted resource? (Otherwise, what about Function.call.call.call(null,
null, null, string), which arguably doesn't call Function, but calls a
function that does?)
If two pages can communicate (one has a reference to the other's window
object), it shouldn't be possible to circumvent the prevention by calling
the other page's eval directly.
Is there any thought on how this interacts with web-workers? Should it be
possible to load a web-worker that does eval, since it happens in a
separate scope?
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
