domenic at domenicdenicola.com (2014-01-24T20:02:14.012Z)
On Mon 20 Jan 2014 18:39, Brendan Eich <brendan at mozilla.com> writes: > Does this present a hazard for CSP, which provides policy controls > governing Function? [Relevant spec](http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#script-src) I guess CSP needs to be updated to have similar language for GeneratorFunction as for Function. As Allen mentions, though it doesn't have a name it is accessible. I just took a look at SM and V8 and it seems both of them respect CSP for the GeneratorFunction constructor, though both are lacking test cases. Not sure how to trigger such a test case without a browser.
On Mon 20 Jan 2014 18:39, Brendan Eich <brendan at mozilla.com> writes: > Allen Wirfs-Brock wrote: >> It isn't clear that there much need for a global name for >> GeneratorFunction. If you really eed to access it can always get it >> via: >> >> (function *() {}).constructor > > Does this present a hazard for CSP, which provides policy controls > governing Function? Relevant spec: http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#script-src I guess CSP needs to be updated to have similar language for GeneratorFunction as for Function. As Allen mentions, though it doesn't have a name it is accessible. I just took a look at SM and V8 and it seems both of them respect CSP for the GeneratorFunction constructor, though both are lacking test cases. Not sure how to trigger such a test case without a browser. Andy