File tree Expand file tree Collapse file tree 1 file changed +6
-4
lines changed
Expand file tree Collapse file tree 1 file changed +6
-4
lines changed Original file line number Diff line number Diff line change @@ -1097,15 +1097,17 @@ function createBridge(otherInit, registerProxy) {
10971097 if ( ! isHost && isDangerousFunctionConstructor ( other ) ) {
10981098 return emptyFrozenObject ;
10991099 }
1100+ // Cache check first — if already proxied, return existing proxy.
1101+ // Safe because: cached proxies were created under the same preventUnwrap
1102+ // rules, and an attacker can't retroactively add Function constructors
1103+ // to a host object's properties from the sandbox (chicken-and-egg).
1104+ const mapped = thisReflectApply ( thisWeakMapGet , mappingOtherToThis , [ other ] ) ;
1105+ if ( mapped ) return mapped ;
11001106 // For objects on sandbox side, check for nested dangerous constructors.
11011107 // If found, proxy WITHOUT unwrap registration (mappingThisToOther), so
11021108 // the proxy cannot be unwrapped when passed back to host functions.
11031109 // The proxy's get trap already sanitizes dangerous values on read.
11041110 const dangerous = ! isHost && containsDangerousConstructor ( other ) ;
1105- if ( ! dangerous ) {
1106- const mapped = thisReflectApply ( thisWeakMapGet , mappingOtherToThis , [ other ] ) ;
1107- if ( mapped ) return mapped ;
1108- }
11091111 if ( proto ) {
11101112 return thisProxyOther ( factory , other , proto , dangerous ) ;
11111113 }
You can’t perform that action at this time.
0 commit comments