Hi all,
Just for the fun, I solved a challenge to emulate a with behavior (valid in strict mode & CSP) and I share it with you because I found it interesting even if it isn't intended to be used into a project.
The challenge: GitHub - VSADX/with-keyword-replacement
My solution & test cases: https://tinyurl.com/a7b77yjy
Have fun :)
Does that work with script-src: unsafe-eval disabled via CSP? If so, you should bring it up in an issue against the CSP spec, not here, as that's a potential source of vulnerabilities.
Using script-src 'self' blob:, it works... but since it allows blob:, I don't think about a real security issue.
Am I wrong?
No, you're right. Probably should be documented in MDN to make it clear, though - I doubt most would think of it as a possible attack point.
But in any case, I don't think this security discussion is on-topic for this list, though.
Yeah, the idea isn't to turn it as a security discussion...
It's just a funny trick I made, then shared here, as suggested by Yulia (from the SpiderMonkey team).