On Fri, 31 Jan 2025 17:17:04 GMT, Alan Bateman <al...@openjdk.org> wrote:

> > One thing to think about: does this mean `protectionDomain` is now 
> > discoverable by reflection? Should it be? Should it be filtered?
> 
> Class::getProtectionDomain is a public API so anyone looking for it doesn't 
> need reflection, but maybe you are thinking of something else?

I am thinking if anything new happens if we can reflect the field, 
`setAccessible(true)` it, and overwrite it. I guess the normal protection rules 
disallow the `setAccessible` part, but it does not hurt to think and confirm 
this is still enough and good.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/23396#issuecomment-2627854782

Reply via email to