As part of Bug 1473549, we are in the process of adding an assertion to make sure that eval() is not executed with system principal. evalInSandbox is used in httpd.js (https://dxr.mozilla.org/mozilla-central/rev/c2e3be6a1dd352b969a45f0b85e87674e24ad284/netwerk/test/httpserver/httpd.js#2804). We need to replace it with alternatives.

Comment on attachment 9007178 [details] Bug 1489455 - Replace evalInSandbox from httpd.js Please kindly review the patch and let me know if changes are needed.

Comment on attachment 9007178 [details] Bug 1489455 - Replace evalInSandbox from httpd.js Hey Valentin, we are in the process of adding an assetion that we never call eval() in system privileged context. We identified a few places within our codebase where we do this, one is within this patch. So before we can add the assertion to make sure we don't ever call eval() in system land, we need to rewrite those parts in the code that currently do. Would you be willing to accept that change?

Comment on attachment 9007178 [details] Bug 1489455 - Replace evalInSandbox from httpd.js Valentin Gosu [:valentin] has approved the revision.

Comment on attachment 9007178 [details] Bug 1489455 - Replace evalInSandbox from httpd.js Christoph Kerschbaumer [:ckerschb] has been removed from the revision.

Pushed by rvandermeulen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f2b03dfdb75b Replace evalInSandbox from httpd.js r=valentin