Mike Samuel
Mike Samuel
@Sora2455 It's true that direct `eval` can't be polyfilled, but indirect `eval` can be as can direct uses of `new Function`: ```js function functionPolyfill(...args) { // Load code via DOM...
@koto > I think we should respect the existing restrictions of unsafe-eval (i.e. no eval and friends would be allowed, even with TrustedScript in the presence of unsafe-eval alone) for...
@koto, It sounds like you're agreeing with: > * Absence of unsafe-eval means eval(x) allowed for no x What about if I want to write a CSP policy so that:...
> Actually, @arturjanc reminds that 'unsafe-eval' only kicks in for strings (at least in Chrome): > ... > However, Chrome's behavior does not conform to spec: https://tc39.github.io/ecma262/#sec-eval-x and indeed, Firefox...
@Sora2455 said > I should also note that the `new Function("return this")` use case is covered by `globalThis`, and the eval(JSON) is well and truly covered by JSON.parse. Do modern...
@koto > > * the absence of unsafe-eval means eval(x) fails for all x unless trusted-types is specified and Type(x) is TrustedScript. > > If we can get it into...
Ok. I think he's on vacation. I'll try to wrangle 10 minutes FTF.
Use case: runtime guards This came up at es-discuss ["Proposal to add symbol: hasInstanceStrict"](https://mail.mozilla.org/pipermail/es-discuss/2018-February/050245.html) that > attempts to provide an intermediate layer for implementing runtime type checking. to which TJCrowser...
+@koto Goals should include not undoing the work of polyfills like https://github.com/WICG/trusted-types which need to patch setters and some getters on element prototypes to gate access to browser builtins. The...
You are free to define goals and non-goals for your proposal, but I would like to avoid surprises down the road. Fyi, it is a goal of ISE so if...