C. Scott Ananian (2015-04-29T17:02:26.000Z)
d at domenic.me (2015-05-11T16:43:45.324Z)
On Wed, Apr 29, 2015 at 12:49 PM, Allen Wirfs-Brock <allen at wirfs-brock.com> wrote: > Also, in a private message Mark Miller mentioned that the primarily > security invariant he's concerned about really relates to the behavior of > the `then` method of the object returned by `Promise.resolve(x)`. Neither > testing `construct` or SpeciesConstructor really tells you anything about > `then`. It seems that the root problem here is trying to apply nominal > type based reasoning to JS. > I agree that is the root problem. That is why [[PromiseConstructor]] is misguided, as (in their own way) is testing x.[[Prototype]] and testing x.then. We could imagine rewriting step 2 to test all three of these. And then maybe we should think about proxies as well! But rather than add some complicated test to try to do something which doesn't actually accomplish its purpose, better to use the simple/expected/consistent thing, which seems (at this point) to be SpeciesConstructor. And that seems to make setting Promise.@@species "work right" as well, for what that's worth.