domenic at domenicdenicola.com (2013-11-12T17:25:53.946Z)
I suppose I am hypothesising that it might be possible to limit the
invocation to the outer scope only in some CSP mode.
```js
// allowed:
System.define(['some-module'], ['export var q = "p";']);
// not allowed:
(function() {
System.define(['some-module'], ['export var q = "p";']);
})();
```
In this way, your window.onload example would not be possible, and no
dynamic injections would be possible in anyway that is different to running
a typical script.
But yes, my assumption is that such a non-standard restriction might be
possible.
I suppose I am hypothesising that it might be possible to limit the invocation to the outer scope only in some CSP mode. // allowed: System.define(['some-module'], ['export var q = "p";']); // not allowed: (function() { System.define(['some-module'], ['export var q = "p";']); })(); In this way, your window.onload example would not be possible, and no dynamic injections would be possible in anyway that is different to running a typical script. But yes, my assumption is that such a non-standard restriction might be possible. On 1 November 2013 16:30, Erik Arvidsson <erik.arvidsson at gmail.com> wrote: > I think I must be missing something? > > On Fri, Nov 1, 2013 at 6:47 AM, Guy Bedford <guybedford at googlemail.com>wrote: > >> Surely this can be dealt with by extending the CSP policy to allow script >> domains which are able to call System.define. >> > > How is that different to extending the CSP policy to allow script domains > to call eval/Function? > > >> Surely it is an equivalent permission to being able to load script from >> the domain anyway, when it is restricted to running in the outer scope only? >> > > I don't see how it is equivalent to loading scripts? > > window.onload = function() { > System.define(['name'], [`export var name = '${ > document.querySelector('#name').value }';`)]); > }; > > function later() { > var nameModule = System.import('name'); > alert(`Hello ${ nameModule.name }!`); > } > > How is it restricted to running in the outer scope? > > -- > erik > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20131101/83a7e5b6/attachment.html>