- From: Jim Manico <jim.manico@owasp.org>
- Date: Sat, 27 Sep 2014 08:48:51 -0700
- To: Marijn Haverbeke <marijnh@gmail.com>, public-webappsec@w3.org
This is a really fair question. One of the only legit uses of the JS *eval* function is runtime loading of resources and similar runtime optimizations for performance enhancements for JS libraries. I'm really curious what the solution is here other than to just be ... slow and not use eval. - Jim On 9/26/14, 7:32 AM, Marijn Haverbeke wrote: > The simple question: why was document.securityPolicy removed? I was > not able to find the relevant discussion. > > Background: I maintain several JavaScript libraries that use run-time > evaluation as an optimization strategy. Users (mostly building Chrome > Web Apps) have started reporting problems with using these libraries > when a CSP is active. It is usually possible to fall-back to a slower > approach without evaluation, but it seems there is no way (short of > triggering an actual violation) of detecting that such a policy is in > place, which would be necessary to know when to fall back to the > eval-less implementation. > > Best, > Marijn Haverbeke > >
Received on Saturday, 27 September 2014 15:49:49 UTC