W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

[webappsec] "operator eval"

From: Brad Hill <hillbrad@fb.com>
Date: Fri, 14 Nov 2014 23:35:56 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <D08BD1DB.F3E%hillbrad@fb.com>
Silly question?

CSP both 1 and 2 say:

If 'unsafe-eval' is not in allowed script sources
<https://w3c.github.io/webappsec/specs/content-security-policy/#allowed-scr

ipt-sources>:

* Instead of evaluating their arguments, both operator eval and function
eval [ECMA-262] 
<https://w3c.github.io/webappsec/specs/content-security-policy/#biblio-ecma

-262> MUST throw an EvalError exception.


Function eval I understand.  I'm not sure what's meant in this context by
"operator eval" in order to write a test for it.  I even looked at
ECMA-262.  Spec bug or am I just clueless?  (or both?)

-Brad

Received on Friday, 14 November 2014 23:36:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC