Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
A couple things were weird with how JSON is polyfilled in the library. First, we have a flag __USE_JSON__ which is set at build time to output two different bundles, .js and .nojson.js which leads to a bit of confusion from the end user as to which to use. Second, this is only done because JSON-js/json2.js uses eval in it's parse function which violates CSP, but there is an alternate parse implementation that uses a state machine and no eval which obviates the need for this .js and .nojson.js split. Third, the way this was used I think was buggy to begin with. The custom json2.js parse and stringify functions should only be used if JSON does not already exist natively with this functionality. It is already built into json2.js to check for this and only polyfill if needed. To get that to work, you just need to pass in the global JSON and let it do it's work. The problem is then when we decide to use the polyfill we pass in an empty object always which forces those polyfills to always be used. It does not seem like that is intended behaviour. We are not affecting the global JSON object so this polyfill will not be visible outside our library, we only polyfill the functions that are not already present on the possibly existing JSON global, and we use a version of parse that does not use eval and therefore is CSP safe.
- Loading branch information