-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: crash under csp #1333
fix: crash under csp #1333
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Freeze would suffice here
Not in scope for this PR, but wondering what kind of test we could have to make sure we don't break no-eval environments. The setup would likely look like replacing the evaluators with functions that throw before importing ses. The question is how to scope a subset of the tests with this environment. |
since Compartment is not available under no-eval environment, test lockdown is enough. |
As it happens, you wrote one already. https://github.com/endojs/endo/blob/master/packages/ses/test/test-no-eval.js It’s marked as
|
Oh lol, thanks past me! |
Co-authored-by: Kris Kowal <kris@cixar.com>
I’m landing this as it’s incremental progress. Further work will be necessary to avoid eval with a lockdown flag without compromising lockdown invariants. |
close #1281