I am seeking of a mechanism that could make eval and new Function or new o.constructor.constructor disabled, and return undefined or throw an exception. Any exisiting proposal can make it happen?
If you're interested in doing this in first-party code, you can do this with eslint.
If in browsers, look into CSP ( https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP ).
SES https://github.com/tc39/proposal-ses but stale proposal text
shim https://github.com/Agoric/SES dependent on realms-shim
shim https://github.com/Agoric/evaluator-shim redesign for single-realm, better security
Presentation to Node security:
Thanks to all you folks. I will look into it.
But now we just disable them for good. eval is really evil. Our scenario just like node, not web. But we use some of the cross site security like web's frame.