On Fri, 31 Jan 2025 17:17:04 GMT, Alan Bateman <al...@openjdk.org> wrote:
> > One thing to think about: does this mean `protectionDomain` is now > > discoverable by reflection? Should it be? Should it be filtered? > > Class::getProtectionDomain is a public API so anyone looking for it doesn't > need reflection, but maybe you are thinking of something else? I am thinking if anything new happens if we can reflect the field, `setAccessible(true)` it, and overwrite it. I guess the normal protection rules disallow the `setAccessible` part, but it does not hurt to think and confirm this is still enough and good. ------------- PR Comment: https://git.openjdk.org/jdk/pull/23396#issuecomment-2627854782