Use of eval in polyfill function

[juandopazo]

Hi!

es6-promise is using eval in the form of Function('return this')() to get to the global object. This is a pretty awesome hack that is very reliable in strict mode. However, it hinders the use of Content Security Policy to prevent unwanted uses of eval.

Thoughts?

[stefanpenner]

@juandopazo that code-path should only be taken if there is no self or global. self should be present in a browsers \w CSP. Is it not the case that if that branch is avoided no CSP issue arrises, or have I misunderstood?

[juandopazo]

You are right, it is a runtime check. I tried in an isolated environment and it's ok. Something fishy is going on in our test pipeline.

[juandopazo]

Oh. 🤦‍♂️ It's another polyfill! Very sorry. I have another polyfill for Function.prototype.bind that is using eval to ensure fn.length is correct.

[stefanpenner]

@juandopazo not a problem, thank you for verifying :)