ES Discuss - Message History

David Bruant (2014-01-20T18:22:46.000Z)

Go to Source

Le 20/01/2014 18:39, Brendan Eich a écrit :
> Allen Wirfs-Brock wrote:
>> It isn't clear that there much need for a global name for 
>> GeneratorFunction.  If you really eed to access it can always get it 
>> via:
>>
>>    (function *() {}).constructor
Do we even need (function *() {}).constructor !== Function?
(and [[FunctionKind]] "generator" and a different @@toStringTag and...)
What is its use case anyway? Creating a generator from source?
What's wrong with:
     eval("function*(x, y, z, ...yo){/*body*/}")
(and when the source isn't trusted, use indirect eval or soon enough the 
module loader)

> Does this present a hazard for CSP, which provides policy controls 
> governing Function?
It introduces something that probably should be disabled by default and 
re-enabled only if the unsafe-eval "origin" is present.
 From a security perspective, note that this is a marginal 
(non-existent) protection and the underlying capability (executing 
arbitrary code) remains since an attacker can download a JS interpreter 
to eval any string itself.

David

domenic at domenicdenicola.com (2014-01-24T20:00:49.567Z)

Le 20/01/2014 18:39, Brendan Eich a écrit :
> Allen Wirfs-Brock wrote:
>> It isn't clear that there much need for a global name for 
>> GeneratorFunction.  If you really eed to access it can always get it 
>> via:
>>
>>     (function *() {}).constructor

Do we even need `(function *() {}).constructor !== Function`?
(and [[FunctionKind]] "generator" and a different @@toStringTag and...)
What is its use case anyway? Creating a generator from source?
What's wrong with:

     eval("function*(x, y, z, ...yo){/*body*/}")

(and when the source isn't trusted, use indirect eval or soon enough the 
module loader)

> Does this present a hazard for CSP, which provides policy controls 
> governing Function?

It introduces something that probably should be disabled by default and 
re-enabled only if the unsafe-eval "origin" is present.
 From a security perspective, note that this is a marginal 
(non-existent) protection and the underlying capability (executing 
arbitrary code) remains since an attacker can download a JS interpreter 
to eval any string itself.

Edit