Comment #2 on issue 1258 by [email protected]: V8 should expose an API to
disable eval and other APIs that convert strings to code
http://code.google.com/p/v8/issues/detail?id=1258
It says that the restrictions are *per resource*
It means per v8:Context. The spec needs some cleanup w.r.t. terminology.
If the former, it seems to me that this feature should be per context
(per document loaded), e.g., registering
a function that logs a violation and returns whether to proceed or not
(for report-only mode).
Yes. Getting a callback would be very helpful for report-only mode (and
for sending error reports).
If two pages can communicate (one has a reference to the other's window
object), it shouldn't be
possible to circumvent the prevention by calling the other page's eval
directly.
That's actually fine. Similarly, you could reach into the other page's DOM
and add an <img> element to get around the img-src restrictions. Turning
off eval is to help the developer not shoot themselves in the foot.
Is there any thought on how this interacts with web-workers? Should it be
possible to load a
web-worker that does eval, since it happens in a separate scope?
Good question. I don't know the answer, but I can ask the working group
for an opinion.
Thanks for the questions!
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
