new Function() is unnecessary and interferes with CSP

Question

new Function() is unnecessary and interferes with CSP

mangecoeur opened this issue 9 years ago · 2 comments

trying to use JSDOM, which uses setImmediate, in an Atom package and run into content security policy restrictions which prevent the use of new Function and eval. it seems using function(){return this} would work just as well and avoid this completely

Answer 1 · 2015-07-01T22:22:45.000Z

The difference is that (function(){return this})() returns null in strict mode, making it somewhat less reliable, but I hear you about the CSP restrictions.

Answer 2 · 2015-07-02T04:36:07.000Z

Feel free to open an issue on jsdom, we don't necessarily have to use setImmediate, I just did that as a quick fix.

eval is completely necessary for setImmediate since setImmediate("a string") must do eval per spec.