You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For any given string str, their behavior should be identical. Only direct eval should capture context from where it's being called, while Function and indirect eval (and setTimeout, even if it's in HTML) should not.
However, Function("import(...)") is defined to use the Function/(0, eval)'s caller as import()'s referrer, introducing a dynamic scope case other than direct eval.
eshost Output:
Browsers behavior varies:
Firefox implements the spec for Function, eval, and setTimeout
Chrome implements the spec for Function and eval, but not setTimeout
Description: Consider these two programs:
For any given string
str
, their behavior should be identical. Only directeval
should capture context from where it's being called, whileFunction
and indirecteval
(andsetTimeout
, even if it's in HTML) should not.However,
Function("import(...)")
is defined to use theFunction
/(0, eval)
's caller asimport()
's referrer, introducing a dynamic scope case other than direct eval.eshost Output:
Browsers behavior varies:
Function
,eval
, andsetTimeout
Function
andeval
, but notsetTimeout
You can find a test with various cases at https://github.com/nicolo-ribaudo/function-dynamic-scoping.
Proposed behavior:
In all these cases,
import()
's referrer should not capture any script or module, and instead fallback to using the current realm as the referrer.I believe that this is what is already happening in the following case, as described in #871:
The text was updated successfully, but these errors were encountered: