[Bug 22752] [imports]: Imports should respect CSP from bugzilla@jessica.w3.org on 2013-07-26 (public-webapps-bugzilla@w3.org from July 2013)

From: <bugzilla@jessica.w3.org>
Date: Fri, 26 Jul 2013 05:18:17 +0000
To: public-webapps-bugzilla@w3.org
Message-ID: <bug-22752-2532-WewzcB84O3@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=22752

--- Comment #2 from Morrita Hajime <morrita@google.com> ---
Noticed that it's hard to enforce non-eval() policy
because imports share its context with the master.

V8/Blink doesn't have mechanism to switch allow/disallow eval
per script evaluation. Also, it's hard to track the call site 
if we call eval in some callbacks.

In practice though, this won't be a problem because
apps/sites which want to prohibit eval() in imports will want to prohibit
eval()
in its own context. 

So question here is whether we should explicitly exclude eval() blocking
or leave it as an implementation limitation.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Friday, 26 July 2013 05:18:18 UTC