How can eval code not have a calling context?
On Jun 19, 2008, at 4:49 PM, Mark S. Miller wrote:
ES3 says:
10.2.2 Eval Code When control enters an execution context for eval code, the previous active execution context, referred to as the calling context, is used to determine the scope chain, the variable object, and the this value. If there is no calling context, then initialising the scope chain, variable instantiation, and determination of the this value are performed just as for global code.
I am baffled by "If there is no calling context,". How could the possibility arise? How would eval get called if no one calls it?
A call from native code, the "host" program.
Some browsers support indirect eval, allowing this:
setTimeout(eval, 0, "alert('hi mom')")
The window used is the one in which setTimeout was found along the
scope chain, so
myFrame.setTimeout(eval, 0, "alert(x)")
should show myFrame.x, not the calling frame or window's x.
This is not something patched Firefox major versions support.
On Thu, Jun 19, 2008 at 6:43 PM, Brendan Eich <brendan at mozilla.org> wrote:
On Jun 19, 2008, at 4:49 PM, Mark S. Miller wrote:
I am baffled by "If there is no calling context,". How could the possibility arise? How would eval get called if no one calls it?
A call from native code, the "host" program.
Some browsers support indirect eval, allowing this:
setTimeout(eval, 0, "alert('hi mom')")
The window used is the one in which setTimeout was found along the scope chain, so
myFrame.setTimeout(eval, 0, "alert(x)")
should show myFrame.x, not the calling frame or window's x.
This is not something patched Firefox major versions support.
Thanks, this was very clarifying. Which of these cases would ES4 consider to be uses of the eval operator, and which of the eval function?
On Jun 19, 2008, at 8:20 PM, Mark S. Miller wrote:
Some browsers support indirect eval, allowing this:
setTimeout(eval, 0, "alert('hi mom')")
The window used is the one in which setTimeout was found along the
scope chain, somyFrame.setTimeout(eval, 0, "alert(x)")
should show myFrame.x, not the calling frame or window's x.
This is not something patched Firefox major versions support.
Thanks, this was very clarifying. Which of these cases would ES4 consider to be uses of the eval operator, and which of the eval function?
No eval operator calls above ;-). No function calls to foo.eval where
foo is a window either. These are indirect eval calls via setTimeout.
We ban them in Firefox precisely because there is no calling context,
so we don't know the trust label of the caller.
ES3 says:
10.2.2 Eval Code When control enters an execution context for eval code, the previous active execution context, referred to as the calling context, is used to determine the scope chain, the variable object, and the this value. If there is no calling context, then initialising the scope chain, variable instantiation, and determination of the this value are performed just as for global code.
I am baffled by "If there is no calling context,". How could the possibility arise? How would eval get called if no one calls it?
ES3 says: 10.2.2 Eval Code When control enters an execution context for eval code, the previous active execution context, referred to as the calling context, is used to determine the scope chain, the variable object, and the this value. If there is no calling context, then initialising the scope chain, variable instantiation, and determination of the this value are performed just as for global code. I am baffled by "If there is no calling context,". How could the possibility arise? How would eval get called if no one calls it? -- Cheers, --MarkM