- From: Marcos Caceres <w3c@marcosc.com>
- Date: Tue, 25 Oct 2011 15:41:13 +0100
- To: Gerd Wagner <wagnerg@tu-cottbus.de>
- Cc: public-games@w3.org
On Tuesday, 25 October 2011 at 14:55, Gerd Wagner wrote: > > > > eval() can't ever be removed from the Web Platform, as it's a core component and too much content would break. Do you have a pointer to where a browser maker has stated they intend to remove support for it? >> Yes, in FF 7.0.1 and FF 8.0 beta the flag security.csp.enable, which is true by default, prevents the execution of eval statements (leading to a security exception). > Do you have code of it failing and a link to where Mozilla made such an announcement? > Yes, Mozilla says in https://wiki.mozilla.org/Security/CSP/Specification (which is the basis of " a public working draft of a potential specification"): right, so it's just a proposal that may, one day, become an actual standard (or not). And a feature one must opt into, at that. > When CSP is activated for a site, a few base restrictions (https://wiki.mozilla.org/Security/CSP#Content_Restrictions) in the browser environment are enforced by default to help provide proper enforcement of any policy defined. These base restrictions provide general security enhancements by limiting the types of dynamic content that is allowed: generally any script on a site that converts text into code (through the use of eval() or similar functions) is disallowed. Yes, but you can also allow them through not using the mechanism, right? So, just don't use it for your game/system.
Received on Tuesday, 25 October 2011 14:41:45 UTC