pulsar-edit/pulsar
1
1
Fork 0
mirror of https://github.com/pulsar-edit/pulsar.git synced 2024-09-19 15:08:08 +03:00
Code Issues Packages Projects Releases Wiki Activity
263ff21cc1
pulsar/static/index.html
Nathan Sobo 5e8213d45f Add atom.allowUnsafeEval loophole and disable unsafe-eval again 
With Node.js baked in, there's no water-tight way to prevent users from
evaluating code at runtime, at least with CSP alone. This is because
node exposes a 'vm' module that allows scripts to be compiled. There's
also `module._compile`, etc.

I think a reasonable compromise is to protect users from eval'ing code
by accident. This commit adds an atom.allowUnsafeEval method which
re-enables eval in the dynamic scope of the given function.

I then use this to compile the keystroke grammar which saves us the
complexity of pre-compiling it during specs.

What do people think?
2014-03-05 09:57:08 -07:00

13 lines
279 B
HTML
Raw Blame History

<!DOCTYPE html>
<html style="background: #fff">
<head>
<title></title>
<meta http-equiv="Content-Security-Policy" content="default-src *; script-src 'self'; style-src 'self' 'unsafe-inline';">
<script src="index.js"></script>
</head>
<body tabindex="-1">
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink