You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From the explainer, it appears that allowlisting a script hash will allow its use with both indirect eval and direct eval. Indirect eval of a given script has the same behaviour wherever it is evaluated. Because it can access the surrounding scope, direct eval of a given script can have different meanings in different places.
I'm assuming that the reason one may consider a particular script acceptable for addition to the allowlist is that it has been audited. If scripts may only be used with indirect eval, this can be done, but if scripts can be used with direct eval, all uses of direct eval anywhere on the page would need to be considered, and the audit must be done again any time any code in the vicinity of a direct eval is changed.
The text was updated successfully, but these errors were encountered:
From the explainer, it appears that allowlisting a script hash will allow its use with both indirect eval and direct eval. Indirect eval of a given script has the same behaviour wherever it is evaluated. Because it can access the surrounding scope, direct eval of a given script can have different meanings in different places.
I'm assuming that the reason one may consider a particular script acceptable for addition to the allowlist is that it has been audited. If scripts may only be used with indirect eval, this can be done, but if scripts can be used with direct eval, all uses of direct eval anywhere on the page would need to be considered, and the audit must be done again any time any code in the vicinity of a direct eval is changed.
The text was updated successfully, but these errors were encountered: