1396145 - Consider disabling eval/Function in BackstagePass scopes

Status: NEW

(Core :: XPConnect, enhancement, P2)

Description

[Kris Maglione [:kmag]]

One of the last sticking points for enabling shared globals for JSMs is that things like (0, eval)("this") and Function("return this") may behave inconsistently.

Ideally, we really shouldn't be using eval in chrome code at all, and there seems to be a pretty strong consensus that disabling it is the way to go.

Unfortunately, we also seem to have a surprising amount of existing code relying on it:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=1ebf240a59b63d4589aac4208e68fd621583ef2b&selectedJob=127871107

These are actually instances of the pattern we're trying to avoid, and can be fixed by adding some variables to the header of the script:

http://searchfox.org/mozilla-central/rev/51b3d67a5ec1758bd2fe7d7b6e75ad6b6b5da223/browser/extensions/activity-stream/vendor/Redux.jsm#689
http://searchfox.org/mozilla-central/rev/51b3d67a5ec1758bd2fe7d7b6e75ad6b6b5da223/browser/extensions/activity-stream/vendor/Redux.jsm#921
http://searchfox.org/mozilla-central/rev/51b3d67a5ec1758bd2fe7d7b6e75ad6b6b5da223/browser/extensions/activity-stream/vendor/Redux.jsm#1248

This one is probably safe, but also entirely unnecessary since it's just eval()ing static JSON-compatible data strings from an adjacent script:

http://searchfox.org/mozilla-central/rev/51b3d67a5ec1758bd2fe7d7b6e75ad6b6b5da223/browser/extensions/formautofill/phonenumberutils/PhoneNumber.jsm#75


Most of the remaining calls are in test files that we can either fix, or add exceptions for when running in automation.