Mark Miller (2014-03-27T16:31:33.000Z)
domenic at domenicdenicola.com (2014-03-30T16:11:07.326Z)
On Thu, Mar 27, 2014 at 9:11 AM, Erik Arvidsson <erik.arvidsson at gmail.com>wrote: > The V8 API has some issues that it returns objects (getThis, getFunction > and getEvalOrigin). For security reasons we would want to limit what the > API gives you to names and locations. +1. > We can probably reuse V8's and Chakra's toString format here. I think that's a good place to start, and https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/debug.js#158 attempts to normalize other browsers to the v8 format. However, in doing so we discovered that FF Nightly 30 includes useful extra information, regarding nested eval contexts, which this code throws away with the "FFEvalLineColPatterns" regexp. Before adopting the v8 format, we should discuss whether this extra information is useful enough that we should find a way to keep it. Mozillians, why did you add this extra information? Also, rather than startline/startcolumn, we should really do what Smalltalk has done forever: startline/startcolumn/endline/endcolumn. > Same here. New API. What is the desired behavior? The stack should not be accessible given only the error object. Rather, there should be a [getStack function](https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/debug.js#300) which, given an error object, returns the stack. That way, code which does not have access to the getStack function cannot see the stacks.