-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove --no-prompt ... require users to explicitly prompt for permission #2767
Comments
I believe |
@bartlomieju I need to study the permission's API, but I believe |
It sounds useful to allow code to determine how to interact if permissions aren't there, as in some permissions might be totally optional, and can be handled in code. I still think there might be a use case though where the user would just want to ensure no prompts are there, no matter what the code is. Like some container workloads, you absolutely don't want code to prompt and lock things, you just want the job to fail and exit. |
|
@afinch7 The idea is that no-prompt would be the default and that we would provide a way to programmatically prompt for raising permissions. |
Ooh, whitelist scopes would finally be modelled and really well at that: https://w3c.github.io/permissions/#permissiondescriptor-stronger-than The
@ry Even if you provided an explicit request function, wouldn't you still want a flag to deny all of these? Maybe I'm misunderstanding. |
We can just create a global Permissions as in the standard. |
@ry That's just the interface, isn't it? The actual permissions object is a singleton accessed through |
Oh, I didn't realize that. Well maybe we should just add a navigator object then. |
Maybe at some point, but I think that should be reserved for strict browser compatibility. Deno's |
Having the ability to query and request permissions programmatically sounds like a cool feature, but I think I still need a way to suppress all prompts on the command line. I really don't want a prompt to cause my server to hang for all users just because I forgot to grant a permission ahead of time or the program wants to ask me and I'm not around. I am also suspicious that this feature might be a subtle footgun. It reminds me of fs.exists() in Node, which was deprecated because using it to check for file existence before doing a read/write to that file can cause race condition issues. The solution is to |
Please consider saving permissions in a module specific JSON file. WebExtensions contain an array of strings for this purpose (manifest.json):
See https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Request_the_right_permissions for more details. In this way, the permissions can be loaded / written with the application or module they are refering to. Which means that the app permissions could be versioned and transfered to another ENV. Side note, somewhat related: What is missing from the manifest.json? To my knowledge,there is no crypto hash field for the module, not to speak of a PKI signature. This means WebExtensions are still(?) vulnerable to code injections. Subresource Integrity (Mozilla experiment) might be a relevant fix here: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity. It would be nice to have the Opt-in opportunity to verify code has not changed from developer to user/s. Combine that with permissions and it would greatly reduce the attack surface for many apps. Suggestion made after a short discussion with @bartlomieju, over IRC. |
Note:
W3C's Permission API spec only defines Chrome implements the all 3 methods. Firefox implements only |
@sholladay It would be nice to have the modules as repeatable builds. My concern is that for the browsers there is no requirement to lift the permissions & bundle them together with the code they are relevant to. So the permissions query backend would be nice to be partitioned / split per their respective modules. How would DevOPS / continous deploy work? |
Would we consider adding the inverse, My fear is that if some projects have to instruct users to use a number of specific flags, they might get lazy and start suggesting |
I think If I'm running a script with the default settings (which is basically an implied non-interactive mode), I don't think a script should be able to override that. |
@andyfleming It should fail if not connected to a TTY (using |
@nayeemrmn No - if permissions were removed then it was perhaps to run some untrusted bit of code - we cannot then assume the state of the program is safe to have elevated permissions. Stupid example: setTimeout(() => {
Deno.remove("/etc/passwd");
}, 100000) |
Just skim-through the thread... i think the Permission api is a grate addition to Deno. However when mixing it with the filesystem i can't help by feeling a bit conflicted about it when we got the WICG/native-file-system |
this was fixed in #3200 |
Currently if you run a program that, say, tries to read a file from disk, without
--allow-read
you will see an interactive command line prompt that let's the user elevate permissions. If--no-prompt
is given, the program will exit with a PermissionDenied error.This is not now permission escalation works in the browser.
https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia
https://developer.mozilla.org/en-US/docs/Web/API/Permissions_API
https://w3c.github.io/permissions/
I think we should adopt the
Permission.query()
API and remove the--no-prompt
flag.The text was updated successfully, but these errors were encountered: