[webappsec] "operator eval" from Brad Hill on 2014-11-14 (public-webappsec@w3.org from November 2014)

From: Brad Hill <hillbrad@fb.com>
Date: Fri, 14 Nov 2014 23:35:56 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D08BD1DB.F3E%hillbrad@fb.com>

Silly question?

CSP both 1 and 2 say:

If 'unsafe-eval' is not in allowed script sources
<https://w3c.github.io/webappsec/specs/content-security-policy/#allowed-scr
ipt-sources>:

* Instead of evaluating their arguments, both operator eval and function
eval [ECMA-262] 
<https://w3c.github.io/webappsec/specs/content-security-policy/#biblio-ecma

-262> MUST throw an EvalError exception.


Function eval I understand.  I'm not sure what's meant in this context by
"operator eval" in order to write a test for it.  I even looked at
ECMA-262.  Spec bug or am I just clueless?  (or both?)

-Brad

Received on Friday, 14 November 2014 23:36:20 UTC