Proof of Concept: `async with`

Hi all,

Just for the fun, I solved a challenge to emulate a with behavior (valid in strict mode & CSP) and I share it with you because I found it interesting even if it isn't intended to be used into a project.

The challenge: GitHub - VSADX/with-keyword-replacement

My solution & test cases:

Have fun :)

Does that work with script-src: unsafe-eval disabled via CSP? If so, you should bring it up in an issue against the CSP spec, not here, as that's a potential source of vulnerabilities.

Using script-src 'self' blob:, it works... but since it allows blob:, I don't think about a real security issue.

Am I wrong?

No, you're right. Probably should be documented in MDN to make it clear, though - I doubt most would think of it as a possible attack point.

But in any case, I don't think this security discussion is on-topic for this list, though.

Yeah, the idea isn't to turn it as a security discussion...

It's just a funny trick I made, then shared here, as suggested by Yulia (from the SpiderMonkey team).

1 Like