lucacasonato
commented
2 months ago We don't think this is a breaking change to add, so we are not going to do this for Deno 2. We do however se the usecase, and may do this in a later release.
Open teleclimber opened 8 months ago
lucacasonato
commented
2 months ago We don't think this is a breaking change to add, so we are not going to do this for Deno 2. We do however se the usecase, and may do this in a later release.
I don't know how the net permissions will be improved in Deno 2.0 (or if they will?) but I would like to make this suggestion:
Add a permission that allows net access via fetch only.
Why?
First, it would cover a large majority of use cases, where code just needs to make HTTP requests. Unlike
--allow-netit doesn't allow a server to listen (see #16532) and you can't use it to start TELNET session to probe for network services.Second, when used in combination with `HTTP[S]_PROXY, it would guarantee that all net requests go through the proxy. This is useful if you want to allow net requests, but you need to monitor them and provide additional filtering.
Currently, you can use
HTTP_PROXYto filter or monitor fetches, but nothing prevents malicious code from bypassing the proxy usingDeno.connect. With--allow-net-fetch, net activity initiated with Deno.connect gets blocked (unless allowed using--allow-net).In other discussions, Deno team members have recommended that Deno be run with its own networking namespace to cover this requirement (https://github.com/denoland/deno/issues/11925#issuecomment-1678594198). However this implies a Linux environment and rules out using this on local machines running Mac or Windows. With
--allow-net-fetchyou don't have to be on Linux (and you don't have to mess with namespaces, which can be prickly).There are a number of reasons why systems may want to filter net requests beyond what Deno currently allows:
It would be great if Deno could offer a simple cross-platform way to monitor/block fetches.
Thank-you for considering!
✌️