W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

[webappsec] "operator eval"

From: Brad Hill <hillbrad@fb.com>
Date: Fri, 14 Nov 2014 23:35:56 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D08BD1DB.F3E%hillbrad@fb.com>
Silly question?

CSP both 1 and 2 say:

If 'unsafe-eval' is not in allowed script sources


* Instead of evaluating their arguments, both operator eval and function
eval [ECMA-262] 

-262> MUST throw an EvalError exception.

Function eval I understand.  I'm not sure what's meant in this context by
"operator eval" in order to write a test for it.  I even looked at
ECMA-262.  Spec bug or am I just clueless?  (or both?)


Received on Friday, 14 November 2014 23:36:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC