[spankalee]

> the Javascript spec is so littered with API helper functions to patch over old APIs that I think it'll only continue to grow in exploitability

Can you explain how helpers create exploits? Are there any examples?

[jeroenhd]

The higher the surface area, the higher the risk. Either browser engines maintain two separate methods for creating the URL object, or they use the same base function that's called in two different ways. If someone writes optimised code for one, they can easily forget to keep the other into account.

It's easier to secure a JIT with 100 methods than it is to secure a JIT with a thousand.