- From: Mike West <mkwst@google.com>
- Date: Wed, 28 Jan 2015 10:45:03 +0100
- To: david kaye <dfkaye@yahoo.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Wednesday, 28 January 2015 09:45:51 UTC
On Tue, Jan 27, 2015 at 11:04 PM, david kaye <dfkaye@yahoo.com> wrote: > Would it be possible to define the eval restriction a bit differently, for > instance with 'eval-src: self' to allow Function() calls *only* from > trusted sources? > Practically, V8 only offers a global switch to turn code generation from strings on or off. Gecko might have an easier time with this proposal, perhaps? Theoretically, the notion of a "trusted source" becomes hazy quite quickly. As a simple example, consider the following two files: // file1.js function doEval(str) { eval(str); } // file2.js doEval('alert("Hello, world!");'); If you include both files, which one do you gate on `eval-src`? -mike
Received on Wednesday, 28 January 2015 09:45:51 UTC