domenic at domenicdenicola.com (2013-11-12T17:26:33.269Z)
I think I must be missing something?
On Fri, Nov 1, 2013 at 6:47 AM, Guy Bedford <guybedford at googlemail.com>wrote:
> Surely this can be dealt with by extending the CSP policy to allow script
> domains which are able to call System.define.
>
How is that different to extending the CSP policy to allow script domains
to call eval/Function?
> Surely it is an equivalent permission to being able to load script from
> the domain anyway, when it is restricted to running in the outer scope only?
>
I don't see how it is equivalent to loading scripts?
```js
window.onload = function() {
System.define(['name'], [`export var name = '${document.querySelector('#name').value }';`)]);
};
function later() {
var nameModule = System.import('name');
alert(`Hello ${ nameModule.name }!`);
}
```
How is it restricted to running in the outer scope?
I think I must be missing something? On Fri, Nov 1, 2013 at 6:47 AM, Guy Bedford <guybedford at googlemail.com>wrote: > Surely this can be dealt with by extending the CSP policy to allow script > domains which are able to call System.define. > How is that different to extending the CSP policy to allow script domains to call eval/Function? > Surely it is an equivalent permission to being able to load script from > the domain anyway, when it is restricted to running in the outer scope only? > I don't see how it is equivalent to loading scripts? window.onload = function() { System.define(['name'], [`export var name = '${ document.querySelector('#name').value }';`)]); }; function later() { var nameModule = System.import('name'); alert(`Hello ${ nameModule.name }!`); } How is it restricted to running in the outer scope? -- erik -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20131101/890c5607/attachment.html>