Closed Bug 1288284 Opened 8 years ago Closed 7 years ago
Content scripts window
.eval runs code in the page, not in the content script
1. Load attachment at about:debugging 2. Visit example.com 3. Look at the console. Expected: The lines are all true statements. Actual: Content script: Should be 1: undefined <------ WRONG Content script: Should be 2: 2 Page script: Should be undefined: 1 <---- WRONG Page script: Should be undefined: undefined The first and the third line use window.eval, the second and fourth line use eval. eval executes in the current scope, window.eval executes in the page's scope. --- eval and window.eval already have different semantics: 1. window.eval runs code in the global context. 2. eval runs code in the local context. The execution context should be the content script. If there is a desire to run code in the page, then it should be more explicit. Implicitly switching contexts depending on how a function is called is just confusing. I also found that window.Function and Function behave differently, but let's focus on eval for now. Firefox version: Firefox 47.0.1, Firefox Nightly 50 (2016-07-20)
`window.eval` runs code in the context of the window object it's bound to, not in the context of the current global. iframe.contentWindow.eval, for instance, runs code in the context of that iframe's window. Unbound eval (`(0, eval)(...)`) evaluates code in the context of its incumbent global. Those are the same semantics in play here. I don't think it makes sense to change them. Being able to evaluate code in the context of the content window is a useful feature.
Review commit: https://reviewboard.mozilla.org/r/65854/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/65854/
Rob, it looks like this patch didn't have a reviewer on it and got dropped, would it be worth trying to clean and ask for review? Also sounds like you want dev-doc-needed based on comment 2?
Assignee: nobody → rob
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Sorry Rob, forgot to NI you for the changes linked in comment 6.
Looks good. I edited the doc to add validation in the "message" event, to encourage developers to always validate messages in global "message" events.
You need to log in before you can comment on or make changes to this bug.