@@new

[Boris Zbarsky]

On 6/18/14, 3:14 PM, Anne van Kesteren wrote:
> Revisiting existing classes and making them suitable for subclassing
> seems like something that would be hard to avoid.

I think the difference for me is whether making a class subclassable 
before careful auditing means potentially introducing suboptimal 
behavior (that we presumably fix when either we do the audit or someone 
reports a bug) or whether it means potentially introducing a security bug.

In the former case, we can conceivably allow subclassing immediately 
(possibly only in nightly builds or whatnot) and then work on resolving 
the issues people find.  In the latter case the auditing needs to be a 
lot more stringent before subclassing is allowed, and allowing 
subclassing without auditing is just a non-starter.  I'm OK shipping 
somewhat buggy code for people to experiment with in nightly builds, but 
I'm not OK shipping security bugs.

-Boris