- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Sat, 27 Sep 2014 10:39:06 -0700
- To: Jim Manico <jim.manico@owasp.org>
- Cc: Marijn Haverbeke <marijnh@gmail.com>, public-webappsec@w3.org
Received on Saturday, 27 September 2014 17:39:33 UTC
Does a try catch around eval work? On Sep 27, 2014 8:51 AM, "Jim Manico" <jim.manico@owasp.org> wrote: > This is a really fair question. One of the only legit uses of the JS > *eval* function is runtime loading of resources and similar runtime > optimizations for performance enhancements for JS libraries. I'm really > curious what the solution is here other than to just be ... slow and not > use eval. > > - Jim > > > On 9/26/14, 7:32 AM, Marijn Haverbeke wrote: > >> The simple question: why was document.securityPolicy removed? I was >> not able to find the relevant discussion. >> >> Background: I maintain several JavaScript libraries that use run-time >> evaluation as an optimization strategy. Users (mostly building Chrome >> Web Apps) have started reporting problems with using these libraries >> when a CSP is active. It is usually possible to fall-back to a slower >> approach without evaluation, but it seems there is no way (short of >> triggering an actual violation) of detecting that such a policy is in >> place, which would be necessary to know when to fall back to the >> eval-less implementation. >> >> Best, >> Marijn Haverbeke >> >> >> > > >
Received on Saturday, 27 September 2014 17:39:33 UTC