C. Scott Ananian (2015-04-29T18:12:24.000Z)
d at domenic.me (2015-05-11T16:44:41.927Z)
On Wed, Apr 29, 2015 at 2:07 PM, Mark S. Miller <erights at google.com> wrote: > I think your approach is on the right track. How about the > following? Assuming that you don't export DefensivePromise to the attacker, this is fine. Otherwise, I think this is still vulnerable to Reflect.construct lying about new.target: ```js class BadPromise extends DefensivePromise { then(r) { r(); r(); } } var bp = Reflect.construct(BadPromise, DefensivePromise); ``` Since it's `Promise.then` you care about, I think the approach in my previous message (where `then` is tested directly) is preferable.