Replace function constructor with defineProperty

[davidje13]

Resolves #41

Since defineProperty is already used extensively in the rest of the code, it seems safe to use it here without a fallback. Function.length is defined with configurable: true, so this is spec-compliant.

This removes the only occurrence of evaled code (in this case via a function constructor), which makes the project compatible with --disallow-code-generation-from-strings as well as Content-Security-Policy script-src restrictions in the browser. Being able to set these security options allows consumers of this library to create more secure applications through layered security.

This also removes a chunk of code, so the browser bundle size is a little smaller!

[davidje13]

Just found #26 which seems to be the same. Any reason why that hasn't been pulled yet? I can implement the fallback behaviour that was discussed if Node 2.5 is still important to the project.

I'd really like to get this fixed because being held back from using the latest security features because of a deprecation package is massively ironic & frustrating!

Is this project still alive?

[davidje13]

Just to note that since that second commit this is now compatible with all supported NodeJS targets (the travis build seems to be failing due to a glitch rather than because of anything here; appveyor shows that it works with all versions).

@dougwilson could either this or #26 be merged? I'm quite keen to be able to get this through so that I can kill off node's ability to execute strings as code in my deployments, and I'm not seeing any blockers to merging. If any other changes are needed to either PR I'm happy to help out in any way. (I'm aware I'll still be waiting on expressjs/express#4174 but: one step at a time!)