-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security question: Why are data: URIs and file: URIs treated differently in your security policy? #53815
Comments
@nodejs/security-wg |
So I couple of things first:
I will try to adjust it either way.
Imagine you have an HTTP server with two routes:
While the $ node --experimental-network-imports --import 'http://127.0.0.1:9999/direct.mjs' --eval ''
Error [ERR_NETWORK_IMPORT_DISALLOWED]: import of 'node:fs/promises' by http://localhost:9999/direct.mjs is not supported: only relative and absolute specifiers are supported. the $ node --experimental-network-imports --import 'http://127.0.0.1:9999/indirect.mjs' --eval ''
BYPASS |
Also note, that we are discussing removing this feature entirely #53822. |
Your response does not acknowledge my question about file: URIs. I am repeating my question: Why are data: URIs treated differently from file: URIs? Attackers can simply write to a file and then import it to achieve the same effect. |
If you look at the docs for network imports, there's a special restriction.
The intention is that What seems to have happened here is embedding the prohibited import in a |
Version
No response
Platform
No response
Subsystem
No response
What steps will reproduce the bug?
I noticed this bug report and asked @RafaelGSS why
data:
URIs are treated differently fromfile:
URIs in the node.js security policy, as attackers can simply write to a file and then import it to achieve the same effect.Rafael responded with the following, asking me to file an issue in this bug tracker instead of elaborating on X:
How often does it reproduce? Is there a required condition?
No response
What is the expected behavior? Why is that the expected behavior?
No response
What do you see instead?
N/A. I was requested by @RafaelGSS to use this issue reporting form.
Additional information
No response
The text was updated successfully, but these errors were encountered: