Closed juandopazo closed 7 years ago
@juandopazo that code-path should only be taken if there is no self
or global
. self
should be present in a browsers \w CSP. Is it not the case that if that branch is avoided no CSP issue arrises, or have I misunderstood?
You are right, it is a runtime check. I tried in an isolated environment and it's ok. Something fishy is going on in our test pipeline.
Oh. 🤦♂️ It's another polyfill! Very sorry. I have another polyfill for Function.prototype.bind
that is using eval to ensure fn.length
is correct.
@juandopazo not a problem, thank you for verifying :)
Hi!
es6-promise
is usingeval
in the form ofFunction('return this')()
to get to the global object. This is a pretty awesome hack that is very reliable in strict mode. However, it hinders the use of Content Security Policy to prevent unwanted uses ofeval
.Thoughts?