Static non-code resources in modules #4001
Comments
|
The import system shouldn't be used for this, but being able to use the cache system for non-code resources is a very good point (may as well change the title). That would be applicable to suggestions in #3448. |
|
import.meta.url provides more-or-less the same functionality as __dirname. |
|
For a module imported via a URL, this will be the module's URL, right? It won't be a local directory where you can directly read files from, like in Node.js. |
|
Then you would use |
|
|
|
Only the imported resources are ever retrieved, so if you are loading a remote module, why are you trying to read local resources that don't exist?! |
Correct, and since only code files can be imported, there is seemingly no way to retrieve non-code resources required by the module other than to use |
|
That is very intentional, as allowing privilaged access to non-code resources would break the security model. Using |
Could you elaborate?
See #4001 (comment):
|
Yes. We are fairly strict with remote modules that their media type needs to match the set of known modules that we process, and we process those modules, we then inject those modules into the runtime. Runtime code has 0 access to this code directly, including JSON, meaning that it can simply request code to be retrieved and added to the runtime, and the runtime code only sees the results of the parsed code. This is the only implied system access that comes out of the box. Everything else requires explicit permissions. If we had a "backdoor" to load any network resources that wouldn't be a very secure model.
|
|
@seishun |
Would a proxy that wraps arbitrary resources in a JS module default export as described in #3756 (comment) be considered a backdoor? From deno manual:
It's unclear how the proposed fetch cache will work exactly, but the quoted behavior would be desirable for non-code resources too. Otherwise it's not an ideal solution. |
Possibly, great for discussion on that issue, as we wouldn't want to introduce one.
Again, great for discussion on that issue. |
seishun
changed the title
That issue is about fetch, I don't think the usage of
Left a comment, but that issue is specifically about fetch cache, which is just one of possible solutions to the problem discussed here. |
|
As far as I am aware, browsers do not handle arbitrary resources through import. I would like to see the ability to statically import YAML as a JS object but that isn't portable to browser runtimes. Now I use a proxy and parse its default export text as YAML. That works fine for now because I can use Deno's existing import cache. It would be the same for other resource types. If browsers support their static import, Deno should as well. Otherwise it should not diverge here. |
Correct. We play loose by converting JSON (we also support JSX, TSX). I would say we stop there, because everything else could potentially lead to a security issue and code injection. |
For the sake of discussion let's consider the original scenario where there is a remote module that depends on non-importable resources like So would It's also possible that if |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
With import assets being added to JavaScript, any changes to this space will be aligned to Deno supporting that. Closing in favour of #7623. |
Let's say I want to write a module that communicates with some service using Protobuf.
In Node.js, the npm package would contain .proto files which the module would load directly from the file system (using
__dirname).What's the deno equivalent? It seems
importworks only for code andfetchwouldn't be cached.The text was updated successfully, but these errors were encountered: