- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 17 Jun 2011 15:39:35 -0700
- To: "sird@rckc.at" <sird@rckc.at>
- CC: Adam Barth <w3c@adambarth.com>, gaz Heyes <gazheyes@gmail.com>, Jarred Nicholls <jarred@sencha.com>, public-web-security@w3.org
On 6/16/11 2:04 PM, sird@rckc.at wrote: > What is the rationale behind having 2 options? > > inline-script and eval-script > > Via inline-script you can simulate an eval-script. > > Via eval-script you can simulate an inline-script. The primary rationale is strictly pragmatic: eval() is used in several popular javascript libraries. But there is an important difference. With inline-script malicious script can be injected. If inline scripts are blocked (and assuming none of the whitelisted hosts were hacked) then the script doing the eval is a trusted script. Of course eval is still dangerous and can be used stupidly, but it's possible to use eval() safely if you're not eval-ing unfiltered user-supplied data. It's risk reduction. -Dan
Received on Friday, 17 June 2011 22:40:04 UTC