Nathan Sobo 5e8213d45f Add atom.allowUnsafeEval loophole and disable unsafe-eval again ...

With Node.js baked in, there's no water-tight way to prevent users from
evaluating code at runtime, at least with CSP alone. This is because
node exposes a 'vm' module that allows scripts to be compiled. There's
also `module._compile`, etc.

I think a reasonable compromise is to protect users from eval'ing code
by accident. This commit adds an atom.allowUnsafeEval method which
re-enables eval in the dynamic scope of the given function.

I then use this to compile the keystroke grammar which saves us the
complexity of pre-compiling it during specs.

What do people think?

2014-03-05 09:57:08 -07:00

279 B

Raw Blame History

View Raw