1<!DOCTYPE html> 2<html lang="en"> 3<head> 4 <meta charset="utf-8"> 5 <meta name="viewport" content="width=device-width"> 6 <meta name="nodejs.org:node-version" content="v14.21.2"> 7 <title>Policies | Node.js v14.21.2 Documentation</title> 8 <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic&display=fallback"> 9 <link rel="stylesheet" href="assets/style.css"> 10 <link rel="stylesheet" href="assets/hljs.css"> 11 <link rel="canonical" href="https://nodejs.org/api/policy.html"> 12</head> 13<body class="alt apidoc" id="api-section-policy"> 14 <div id="content" class="clearfix"> 15 <div id="column2" class="interior"> 16 <div id="intro" class="interior"> 17 <a href="/" title="Go back to the home page"> 18 Node.js 19 </a> 20 </div> 21 <ul> 22<li><a href="documentation.html" class="nav-documentation">About this documentation</a></li> 23<li><a href="synopsis.html" class="nav-synopsis">Usage and example</a></li> 24</ul> 25<hr class="line"> 26<ul> 27<li><a href="assert.html" class="nav-assert">Assertion testing</a></li> 28<li><a href="async_hooks.html" class="nav-async_hooks">Async hooks</a></li> 29<li><a href="buffer.html" class="nav-buffer">Buffer</a></li> 30<li><a href="addons.html" class="nav-addons">C++ addons</a></li> 31<li><a href="n-api.html" class="nav-n-api">C/C++ addons with Node-API</a></li> 32<li><a href="embedding.html" class="nav-embedding">C++ embedder API</a></li> 33<li><a href="child_process.html" class="nav-child_process">Child processes</a></li> 34<li><a href="cluster.html" class="nav-cluster">Cluster</a></li> 35<li><a href="cli.html" class="nav-cli">Command-line options</a></li> 36<li><a href="console.html" class="nav-console">Console</a></li> 37<li><a href="corepack.html" class="nav-corepack">Corepack</a></li> 38<li><a href="crypto.html" class="nav-crypto">Crypto</a></li> 39<li><a href="debugger.html" class="nav-debugger">Debugger</a></li> 40<li><a href="deprecations.html" class="nav-deprecations">Deprecated APIs</a></li> 41<li><a href="diagnostics_channel.html" class="nav-diagnostics_channel">Diagnostics Channel</a></li> 42<li><a href="dns.html" class="nav-dns">DNS</a></li> 43<li><a href="domain.html" class="nav-domain">Domain</a></li> 44<li><a href="errors.html" class="nav-errors">Errors</a></li> 45<li><a href="events.html" class="nav-events">Events</a></li> 46<li><a href="fs.html" class="nav-fs">File system</a></li> 47<li><a href="globals.html" class="nav-globals">Globals</a></li> 48<li><a href="http.html" class="nav-http">HTTP</a></li> 49<li><a href="http2.html" class="nav-http2">HTTP/2</a></li> 50<li><a href="https.html" class="nav-https">HTTPS</a></li> 51<li><a href="inspector.html" class="nav-inspector">Inspector</a></li> 52<li><a href="intl.html" class="nav-intl">Internationalization</a></li> 53<li><a href="modules.html" class="nav-modules">Modules: CommonJS modules</a></li> 54<li><a href="esm.html" class="nav-esm">Modules: ECMAScript modules</a></li> 55<li><a href="module.html" class="nav-module">Modules: <code>module</code> API</a></li> 56<li><a href="packages.html" class="nav-packages">Modules: Packages</a></li> 57<li><a href="net.html" class="nav-net">Net</a></li> 58<li><a href="os.html" class="nav-os">OS</a></li> 59<li><a href="path.html" class="nav-path">Path</a></li> 60<li><a href="perf_hooks.html" class="nav-perf_hooks">Performance hooks</a></li> 61<li><a href="policy.html" class="nav-policy active">Policies</a></li> 62<li><a href="process.html" class="nav-process">Process</a></li> 63<li><a href="punycode.html" class="nav-punycode">Punycode</a></li> 64<li><a href="querystring.html" class="nav-querystring">Query strings</a></li> 65<li><a href="readline.html" class="nav-readline">Readline</a></li> 66<li><a href="repl.html" class="nav-repl">REPL</a></li> 67<li><a href="report.html" class="nav-report">Report</a></li> 68<li><a href="stream.html" class="nav-stream">Stream</a></li> 69<li><a href="string_decoder.html" class="nav-string_decoder">String decoder</a></li> 70<li><a href="timers.html" class="nav-timers">Timers</a></li> 71<li><a href="tls.html" class="nav-tls">TLS/SSL</a></li> 72<li><a href="tracing.html" class="nav-tracing">Trace events</a></li> 73<li><a href="tty.html" class="nav-tty">TTY</a></li> 74<li><a href="dgram.html" class="nav-dgram">UDP/datagram</a></li> 75<li><a href="url.html" class="nav-url">URL</a></li> 76<li><a href="util.html" class="nav-util">Utilities</a></li> 77<li><a href="v8.html" class="nav-v8">V8</a></li> 78<li><a href="vm.html" class="nav-vm">VM</a></li> 79<li><a href="wasi.html" class="nav-wasi">WASI</a></li> 80<li><a href="worker_threads.html" class="nav-worker_threads">Worker threads</a></li> 81<li><a href="zlib.html" class="nav-zlib">Zlib</a></li> 82</ul> 83<hr class="line"> 84<ul> 85<li><a href="https://github.com/nodejs/node" class="nav-https-github-com-nodejs-node">Code repository and issue tracker</a></li> 86</ul> 87 </div> 88 89 <div id="column1" data-id="policy" class="interior"> 90 <header> 91 <div class="header-container"> 92 <h1>Node.js v14.21.2 documentation</h1> 93 <button class="theme-toggle-btn" id="theme-toggle-btn" title="Toggle dark mode/light mode" aria-label="Toggle dark mode/light mode" hidden> 94 <svg xmlns="http://www.w3.org/2000/svg" class="icon dark-icon" height="24" width="24"> 95 <path fill="none" d="M0 0h24v24H0z" /> 96 <path d="M11.1 12.08c-2.33-4.51-.5-8.48.53-10.07C6.27 2.2 1.98 6.59 1.98 12c0 .14.02.28.02.42.62-.27 1.29-.42 2-.42 1.66 0 3.18.83 4.1 2.15A4.01 4.01 0 0111 18c0 1.52-.87 2.83-2.12 3.51.98.32 2.03.5 3.11.5 3.5 0 6.58-1.8 8.37-4.52-2.36.23-6.98-.97-9.26-5.41z"/> 97 <path d="M7 16h-.18C6.4 14.84 5.3 14 4 14c-1.66 0-3 1.34-3 3s1.34 3 3 3h3c1.1 0 2-.9 2-2s-.9-2-2-2z"/> 98 </svg> 99 <svg xmlns="http://www.w3.org/2000/svg" class="icon light-icon" height="24" width="24"> 100 <path d="M0 0h24v24H0z" fill="none" /> 101 <path d="M6.76 4.84l-1.8-1.79-1.41 1.41 1.79 1.79 1.42-1.41zM4 10.5H1v2h3v-2zm9-9.95h-2V3.5h2V.55zm7.45 3.91l-1.41-1.41-1.79 1.79 1.41 1.41 1.79-1.79zm-3.21 13.7l1.79 1.8 1.41-1.41-1.8-1.79-1.4 1.4zM20 10.5v2h3v-2h-3zm-8-5c-3.31 0-6 2.69-6 6s2.69 6 6 6 6-2.69 6-6-2.69-6-6-6zm-1 16.95h2V19.5h-2v2.95zm-7.45-3.91l1.41 1.41 1.79-1.8-1.41-1.41-1.79 1.8z"/> 102 </svg> 103 </button> 104 </div> 105 <div id="gtoc"> 106 <ul> 107 <li> 108 <a href="index.html">Index</a> 109 </li> 110 <li> 111 <a href="all.html">View on single page</a> 112 </li> 113 <li> 114 <a href="policy.json">View as JSON</a> 115 </li> 116 117 <li class="version-picker"> 118 <a href="#">View another version <span>▼</span></a> 119 <ol class="version-picker"><li><a href="https://nodejs.org/docs/latest-v19.x/api/policy.html">19.x</a></li> 120<li><a href="https://nodejs.org/docs/latest-v18.x/api/policy.html">18.x <b>LTS</b></a></li> 121<li><a href="https://nodejs.org/docs/latest-v17.x/api/policy.html">17.x</a></li> 122<li><a href="https://nodejs.org/docs/latest-v16.x/api/policy.html">16.x <b>LTS</b></a></li> 123<li><a href="https://nodejs.org/docs/latest-v15.x/api/policy.html">15.x</a></li> 124<li><a href="https://nodejs.org/docs/latest-v14.x/api/policy.html">14.x <b>LTS</b></a></li> 125<li><a href="https://nodejs.org/docs/latest-v13.x/api/policy.html">13.x</a></li> 126<li><a href="https://nodejs.org/docs/latest-v12.x/api/policy.html">12.x</a></li> 127<li><a href="https://nodejs.org/docs/latest-v11.x/api/policy.html">11.x</a></li></ol> 128 </li> 129 130 <li class="edit_on_github"><a href="https://github.com/nodejs/node/edit/master/doc/api/policy.md">Edit on GitHub</a></li> 131 </ul> 132 </div> 133 <hr> 134 </header> 135 136 <details id="toc" open><summary>Table of contents</summary><ul> 137<li><span class="stability_1"><a href="#policy_policies">Policies</a></span> 138<ul> 139<li><a href="#policy_enabling">Enabling</a></li> 140<li><a href="#policy_features">Features</a> 141<ul> 142<li><a href="#policy_error_behavior">Error behavior</a></li> 143<li><a href="#policy_integrity_checks">Integrity checks</a></li> 144<li><a href="#policy_dependency_redirection">Dependency redirection</a> 145<ul> 146<li><a href="#policy_example_patched_dependency">Example: Patched dependency</a></li> 147</ul> 148</li> 149<li><a href="#policy_scopes">Scopes</a> 150<ul> 151<li><a href="#policy_example">Example</a></li> 152<li><a href="#policy_integrity_using_scopes">Integrity using scopes</a></li> 153<li><a href="#policy_dependency_redirection_using_scopes">Dependency redirection using scopes</a></li> 154<li><a href="#policy_example_import_maps_emulation">Example: [import maps][] emulation</a></li> 155</ul> 156</li> 157</ul> 158</li> 159</ul> 160</li> 161</ul></details> 162 163 <div id="apicontent"> 164 <h2>Policies<span><a class="mark" href="#policy_policies" id="policy_policies">#</a></span></h2> 165 166 167<p></p><div class="api_stability api_stability_1"><a href="documentation.html#documentation_stability_index">Stability: 1</a> - Experimental</div><p></p> 168 169<p>Node.js contains experimental support for creating policies on loading code.</p> 170<p>Policies are a security feature intended to allow guarantees 171about what code Node.js is able to load. The use of policies assumes 172safe practices for the policy files such as ensuring that policy 173files cannot be overwritten by the Node.js application by using 174file permissions.</p> 175<p>A best practice would be to ensure that the policy manifest is read-only for 176the running Node.js application and that the file cannot be changed 177by the running Node.js application in any way. A typical setup would be to 178create the policy file as a different user id than the one running Node.js 179and granting read permissions to the user id running Node.js.</p> 180<section><h3>Enabling<span><a class="mark" href="#policy_enabling" id="policy_enabling">#</a></span></h3> 181 182<p>The <code>--experimental-policy</code> flag can be used to enable features for policies 183when loading modules.</p> 184<p>Once this has been set, all modules must conform to a policy manifest file 185passed to the flag:</p> 186<pre><code class="language-bash">node --experimental-policy=policy.json app.js</code></pre> 187<p>The policy manifest will be used to enforce constraints on code loaded by 188Node.js.</p> 189<p>To mitigate tampering with policy files on disk, an integrity for 190the policy file itself may be provided via <code>--policy-integrity</code>. 191This allows running <code>node</code> and asserting the policy file contents 192even if the file is changed on disk.</p> 193<pre><code class="language-bash">node --experimental-policy=policy.json --policy-integrity=<span class="hljs-string">"sha384-SggXRQHwCG8g+DktYYzxkXRIkTiEYWBHqev0xnpCxYlqMBufKZHAHQM3/boDaI/0"</span> app.js</code></pre> 194</section><section><h3>Features<span><a class="mark" href="#policy_features" id="policy_features">#</a></span></h3> 195<h4>Error behavior<span><a class="mark" href="#policy_error_behavior" id="policy_error_behavior">#</a></span></h4> 196<p>When a policy check fails, Node.js by default will throw an error. 197It is possible to change the error behavior to one of a few possibilities 198by defining an "onerror" field in a policy manifest. The following values are 199available to change the behavior:</p> 200<ul> 201<li><code>"exit"</code>: will exit the process immediately. 202No cleanup code will be allowed to run.</li> 203<li><code>"log"</code>: will log the error at the site of the failure.</li> 204<li><code>"throw"</code>: will throw a JS error at the site of the failure. This is the 205default.</li> 206</ul> 207<pre><code class="language-json"><span class="hljs-punctuation">{</span> 208 <span class="hljs-attr">"onerror"</span><span class="hljs-punctuation">:</span> <span class="hljs-string">"log"</span><span class="hljs-punctuation">,</span> 209 <span class="hljs-attr">"resources"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 210 <span class="hljs-attr">"./app/checked.js"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 211 <span class="hljs-attr">"integrity"</span><span class="hljs-punctuation">:</span> <span class="hljs-string">"sha384-SggXRQHwCG8g+DktYYzxkXRIkTiEYWBHqev0xnpCxYlqMBufKZHAHQM3/boDaI/0"</span> 212 <span class="hljs-punctuation">}</span> 213 <span class="hljs-punctuation">}</span> 214<span class="hljs-punctuation">}</span></code></pre> 215<h4>Integrity checks<span><a class="mark" href="#policy_integrity_checks" id="policy_integrity_checks">#</a></span></h4> 216<p>Policy files must use integrity checks with Subresource Integrity strings 217compatible with the browser 218<a href="https://www.w3.org/TR/SRI/#the-integrity-attribute">integrity attribute</a> 219associated with absolute URLs.</p> 220<p>When using <code>require()</code> or <code>import</code> all resources involved in loading are checked 221for integrity if a policy manifest has been specified. If a resource does not 222match the integrity listed in the manifest, an error will be thrown.</p> 223<p>An example policy file that would allow loading a file <code>checked.js</code>:</p> 224<pre><code class="language-json"><span class="hljs-punctuation">{</span> 225 <span class="hljs-attr">"resources"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 226 <span class="hljs-attr">"./app/checked.js"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 227 <span class="hljs-attr">"integrity"</span><span class="hljs-punctuation">:</span> <span class="hljs-string">"sha384-SggXRQHwCG8g+DktYYzxkXRIkTiEYWBHqev0xnpCxYlqMBufKZHAHQM3/boDaI/0"</span> 228 <span class="hljs-punctuation">}</span> 229 <span class="hljs-punctuation">}</span> 230<span class="hljs-punctuation">}</span></code></pre> 231<p>Each resource listed in the policy manifest can be of one the following 232formats to determine its location:</p> 233<ol> 234<li>A <a href="https://url.spec.whatwg.org/#relative-url-with-fragment-string">relative-URL string</a> to a resource from the manifest such as <code>./resource.js</code>, <code>../resource.js</code>, or <code>/resource.js</code>.</li> 235<li>A complete URL string to a resource such as <code>file:///resource.js</code>.</li> 236</ol> 237<p>When loading resources the entire URL must match including search parameters 238and hash fragment. <code>./a.js?b</code> will not be used when attempting to load 239<code>./a.js</code> and vice versa.</p> 240<p>To generate integrity strings, a script such as 241<code>node -e 'process.stdout.write("sha256-");process.stdin.pipe(crypto.createHash("sha256").setEncoding("base64")).pipe(process.stdout)' < FILE</code> 242can be used.</p> 243<p>Integrity can be specified as the boolean value <code>true</code> to accept any 244body for the resource which can be useful for local development. It is not 245recommended in production since it would allow unexpected alteration of 246resources to be considered valid.</p> 247<h4>Dependency redirection<span><a class="mark" href="#policy_dependency_redirection" id="policy_dependency_redirection">#</a></span></h4> 248<p>An application may need to ship patched versions of modules or to prevent 249modules from allowing all modules access to all other modules. Redirection 250can be used by intercepting attempts to load the modules wishing to be 251replaced.</p> 252<pre><code class="language-json"><span class="hljs-punctuation">{</span> 253 <span class="hljs-attr">"resources"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 254 <span class="hljs-attr">"./app/checked.js"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 255 <span class="hljs-attr">"dependencies"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 256 <span class="hljs-attr">"fs"</span><span class="hljs-punctuation">:</span> <span class="hljs-keyword">true</span><span class="hljs-punctuation">,</span> 257 <span class="hljs-attr">"os"</span><span class="hljs-punctuation">:</span> <span class="hljs-string">"./app/node_modules/alt-os"</span><span class="hljs-punctuation">,</span> 258 <span class="hljs-attr">"http"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> <span class="hljs-attr">"import"</span><span class="hljs-punctuation">:</span> <span class="hljs-keyword">true</span> <span class="hljs-punctuation">}</span> 259 <span class="hljs-punctuation">}</span> 260 <span class="hljs-punctuation">}</span> 261 <span class="hljs-punctuation">}</span> 262<span class="hljs-punctuation">}</span></code></pre> 263<p>The dependencies are keyed by the requested specifier string and have values 264of either <code>true</code>, <code>null</code>, a string pointing to a module to be resolved, 265or a conditions object.</p> 266<p>The specifier string does not perform any searching and must match exactly what 267is provided to the <code>require()</code> or <code>import</code> except for a canonicalization step. 268Therefore, multiple specifiers may be needed in the policy if it uses multiple 269different strings to point to the same module (such as excluding the extension).</p> 270<p>Specifier strings are canonicalized but not resolved prior to be used for 271matching in order to have some compatibility with import maps, for example if a 272resource <code>file:///C:/app/server.js</code> was given the following redirection from a 273policy located at <code>file:///C:/app/policy.json</code>:</p> 274<pre><code class="language-json"><span class="hljs-punctuation">{</span> 275 <span class="hljs-attr">"resources"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 276 <span class="hljs-attr">"file:///C:/app/utils.js"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 277 <span class="hljs-attr">"dependencies"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 278 <span class="hljs-attr">"./utils.js"</span><span class="hljs-punctuation">:</span> <span class="hljs-string">"./utils-v2.js"</span> 279 <span class="hljs-punctuation">}</span> 280 <span class="hljs-punctuation">}</span> 281 <span class="hljs-punctuation">}</span> 282<span class="hljs-punctuation">}</span></code></pre> 283<p>Any specifier used to load <code>file:///C:/app/utils.js</code> would then be intercepted 284and redirected to <code>file:///C:/app/utils-v2.js</code> instead regardless of using an 285absolute or relative specifier. However, if a specifier that is not an absolute 286or relative URL string is used, it would not be intercepted. So, if an import 287such as <code>import('#utils')</code> was used, it would not be intercepted.</p> 288<p>If the value of the redirection is <code>true</code>, a "dependencies" field at the top of 289the policy file will be used. If that field at the top of the policy file is 290<code>true</code> the default node searching algorithms are used to find the module.</p> 291<p>If the value of the redirection is a string, it is resolved relative to 292the manifest and then immediately used without searching.</p> 293<p>Any specifier string for which resolution is attempted and that is not listed in 294the dependencies results in an error according to the policy.</p> 295<p>Redirection does not prevent access to APIs through means such as direct access 296to <code>require.cache</code> or through <code>module.constructor</code> which allow access to 297loading modules. Policy redirection only affects specifiers to <code>require()</code> and 298<code>import</code>. Other means, such as to prevent undesired access to APIs through 299variables, are necessary to lock down that path of loading modules.</p> 300<p>A boolean value of <code>true</code> for the dependencies map can be specified to allow a 301module to load any specifier without redirection. This can be useful for local 302development and may have some valid usage in production, but should be used 303only with care after auditing a module to ensure its behavior is valid.</p> 304<p>Similar to <code>"exports"</code> in <code>package.json</code>, dependencies can also be specified to 305be objects containing conditions which branch how dependencies are loaded. In 306the preceding example, <code>"http"</code> is allowed when the <code>"import"</code> condition is 307part of loading it.</p> 308<p>A value of <code>null</code> for the resolved value causes the resolution to fail. This 309can be used to ensure some kinds of dynamic access are explicitly prevented.</p> 310<p>Unknown values for the resolved module location cause failures but are 311not guaranteed to be forward compatible.</p> 312<h5>Example: Patched dependency<span><a class="mark" href="#policy_example_patched_dependency" id="policy_example_patched_dependency">#</a></span></h5> 313<p>Redirected dependencies can provide attenuated or modified functionality as fits 314the application. For example, log data about timing of function durations by 315wrapping the original:</p> 316<pre><code class="language-js"><span class="hljs-keyword">const</span> original = <span class="hljs-built_in">require</span>(<span class="hljs-string">'fn'</span>); 317<span class="hljs-variable language_">module</span>.<span class="hljs-property">exports</span> = <span class="hljs-keyword">function</span> <span class="hljs-title function_">fn</span>(<span class="hljs-params">...args</span>) { 318 <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">time</span>(); 319 <span class="hljs-keyword">try</span> { 320 <span class="hljs-keyword">return</span> <span class="hljs-keyword">new</span>.<span class="hljs-property">target</span> ? 321 <span class="hljs-title class_">Reflect</span>.<span class="hljs-title function_">construct</span>(original, args) : 322 <span class="hljs-title class_">Reflect</span>.<span class="hljs-title function_">apply</span>(original, <span class="hljs-variable language_">this</span>, args); 323 } <span class="hljs-keyword">finally</span> { 324 <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">timeEnd</span>(); 325 } 326};</code></pre> 327<h4>Scopes<span><a class="mark" href="#policy_scopes" id="policy_scopes">#</a></span></h4> 328<p>Use the <code>"scopes"</code> field of a manifest to set configuration for many resources 329at once. The <code>"scopes"</code> field works by matching resources by their segments. 330If a scope or resource includes <code>"cascade": true</code>, unknown specifiers will 331be searched for in their containing scope. The containing scope for cascading 332is found by recursively reducing the resource URL by removing segments for 333<a href="https://url.spec.whatwg.org/#special-scheme">special schemes</a>, keeping trailing <code>"/"</code> suffixes, and removing the query and 334hash fragment. This leads to the eventual reduction of the URL to its origin. 335If the URL is non-special the scope will be located by the URL's origin. If no 336scope is found for the origin or in the case of opaque origins, a protocol 337string can be used as a scope. If no scope is found for the URL's protocol, a 338final empty string <code>""</code> scope will be used.</p> 339<p>Note, <code>blob:</code> URLs adopt their origin from the path they contain, and so a scope 340of <code>"blob:https://nodejs.org"</code> will have no effect since no URL can have an 341origin of <code>blob:https://nodejs.org</code>; URLs starting with 342<code>blob:https://nodejs.org/</code> will use <code>https://nodejs.org</code> for its origin and 343thus <code>https:</code> for its protocol scope. For opaque origin <code>blob:</code> URLs they will 344have <code>blob:</code> for their protocol scope since they do not adopt origins.</p> 345<h5>Example<span><a class="mark" href="#policy_example" id="policy_example">#</a></span></h5> 346<pre><code class="language-json"><span class="hljs-punctuation">{</span> 347 <span class="hljs-attr">"scopes"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 348 <span class="hljs-attr">"file:///C:/app/"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span><span class="hljs-punctuation">}</span><span class="hljs-punctuation">,</span> 349 <span class="hljs-attr">"file:"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span><span class="hljs-punctuation">}</span><span class="hljs-punctuation">,</span> 350 <span class="hljs-attr">""</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span><span class="hljs-punctuation">}</span> 351 <span class="hljs-punctuation">}</span> 352<span class="hljs-punctuation">}</span></code></pre> 353<p>Given a file located at <code>file:///C:/app/bin/main.js</code>, the following scopes would 354be checked in order:</p> 355<ol> 356<li><code>"file:///C:/app/bin/"</code></li> 357</ol> 358<p>This determines the policy for all file based resources within 359<code>"file:///C:/app/bin/"</code>. This is not in the <code>"scopes"</code> field of the policy and 360would be skipped. Adding this scope to the policy would cause it to be used 361prior to the <code>"file:///C:/app/"</code> scope.</p> 362<ol start="2"> 363<li><code>"file:///C:/app/"</code></li> 364</ol> 365<p>This determines the policy for all file based resources within 366<code>"file:///C:/app/"</code>. This is in the <code>"scopes"</code> field of the policy and it would 367determine the policy for the resource at <code>file:///C:/app/bin/main.js</code>. If the 368scope has <code>"cascade": true</code>, any unsatisfied queries about the resource would 369delegate to the next relevant scope for <code>file:///C:/app/bin/main.js</code>, <code>"file:"</code>.</p> 370<ol start="3"> 371<li><code>"file:///C:/"</code></li> 372</ol> 373<p>This determines the policy for all file based resources within <code>"file:///C:/"</code>. 374This is not in the <code>"scopes"</code> field of the policy and would be skipped. It would 375not be used for <code>file:///C:/app/bin/main.js</code> unless <code>"file:///"</code> is set to 376cascade or is not in the <code>"scopes"</code> of the policy.</p> 377<ol start="4"> 378<li><code>"file:///"</code></li> 379</ol> 380<p>This determines the policy for all file based resources on the <code>localhost</code>. This 381is not in the <code>"scopes"</code> field of the policy and would be skipped. It would not 382be used for <code>file:///C:/app/bin/main.js</code> unless <code>"file:///"</code> is set to cascade 383or is not in the <code>"scopes"</code> of the policy.</p> 384<ol start="5"> 385<li><code>"file:"</code></li> 386</ol> 387<p>This determines the policy for all file based resources. It would not be used 388for <code>file:///C:/app/bin/main.js</code> unless <code>"file:///"</code> is set to cascade or is not 389in the <code>"scopes"</code> of the policy.</p> 390<ol start="6"> 391<li><code>""</code></li> 392</ol> 393<p>This determines the policy for all resources. It would not be used for 394<code>file:///C:/app/bin/main.js</code> unless <code>"file:"</code> is set to cascade.</p> 395<h5>Integrity using scopes<span><a class="mark" href="#policy_integrity_using_scopes" id="policy_integrity_using_scopes">#</a></span></h5> 396<p>Setting an integrity to <code>true</code> on a scope will set the integrity for any 397resource not found in the manifest to <code>true</code>.</p> 398<p>Setting an integrity to <code>null</code> on a scope will set the integrity for any 399resource not found in the manifest to fail matching.</p> 400<p>Not including an integrity is the same as setting the integrity to <code>null</code>.</p> 401<p><code>"cascade"</code> for integrity checks will be ignored if <code>"integrity"</code> is explicitly 402set.</p> 403<p>The following example allows loading any file:</p> 404<pre><code class="language-json"><span class="hljs-punctuation">{</span> 405 <span class="hljs-attr">"scopes"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 406 <span class="hljs-attr">"file:"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 407 <span class="hljs-attr">"integrity"</span><span class="hljs-punctuation">:</span> <span class="hljs-keyword">true</span> 408 <span class="hljs-punctuation">}</span> 409 <span class="hljs-punctuation">}</span> 410<span class="hljs-punctuation">}</span></code></pre> 411<h5>Dependency redirection using scopes<span><a class="mark" href="#policy_dependency_redirection_using_scopes" id="policy_dependency_redirection_using_scopes">#</a></span></h5> 412<p>The following example, would allow access to <code>fs</code> for all resources within 413<code>./app/</code>:</p> 414<pre><code class="language-json"><span class="hljs-punctuation">{</span> 415 <span class="hljs-attr">"resources"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 416 <span class="hljs-attr">"./app/checked.js"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 417 <span class="hljs-attr">"cascade"</span><span class="hljs-punctuation">:</span> <span class="hljs-keyword">true</span><span class="hljs-punctuation">,</span> 418 <span class="hljs-attr">"integrity"</span><span class="hljs-punctuation">:</span> <span class="hljs-keyword">true</span> 419 <span class="hljs-punctuation">}</span> 420 <span class="hljs-punctuation">}</span><span class="hljs-punctuation">,</span> 421 <span class="hljs-attr">"scopes"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 422 <span class="hljs-attr">"./app/"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 423 <span class="hljs-attr">"dependencies"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 424 <span class="hljs-attr">"fs"</span><span class="hljs-punctuation">:</span> <span class="hljs-keyword">true</span> 425 <span class="hljs-punctuation">}</span> 426 <span class="hljs-punctuation">}</span> 427 <span class="hljs-punctuation">}</span> 428<span class="hljs-punctuation">}</span></code></pre> 429<p>The following example, would allow access to <code>fs</code> for all <code>data:</code> resources:</p> 430<pre><code class="language-json"><span class="hljs-punctuation">{</span> 431 <span class="hljs-attr">"resources"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 432 <span class="hljs-attr">"data:text/javascript,import('fs');"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 433 <span class="hljs-attr">"cascade"</span><span class="hljs-punctuation">:</span> <span class="hljs-keyword">true</span><span class="hljs-punctuation">,</span> 434 <span class="hljs-attr">"integrity"</span><span class="hljs-punctuation">:</span> <span class="hljs-keyword">true</span> 435 <span class="hljs-punctuation">}</span> 436 <span class="hljs-punctuation">}</span><span class="hljs-punctuation">,</span> 437 <span class="hljs-attr">"scopes"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 438 <span class="hljs-attr">"data:"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 439 <span class="hljs-attr">"dependencies"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 440 <span class="hljs-attr">"fs"</span><span class="hljs-punctuation">:</span> <span class="hljs-keyword">true</span> 441 <span class="hljs-punctuation">}</span> 442 <span class="hljs-punctuation">}</span> 443 <span class="hljs-punctuation">}</span> 444<span class="hljs-punctuation">}</span></code></pre> 445<h5>Example: <a href="https://url.spec.whatwg.org/#relative-url-with-fragment-string">import maps</a> emulation<span><a class="mark" href="#policy_example_import_maps_emulation" id="policy_example_import_maps_emulation">#</a></span></h5> 446<p>Given an import map:</p> 447<pre><code class="language-json"><span class="hljs-punctuation">{</span> 448 <span class="hljs-attr">"imports"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 449 <span class="hljs-attr">"react"</span><span class="hljs-punctuation">:</span> <span class="hljs-string">"./app/node_modules/react/index.js"</span> 450 <span class="hljs-punctuation">}</span><span class="hljs-punctuation">,</span> 451 <span class="hljs-attr">"scopes"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 452 <span class="hljs-attr">"./ssr/"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 453 <span class="hljs-attr">"react"</span><span class="hljs-punctuation">:</span> <span class="hljs-string">"./app/node_modules/server-side-react/index.js"</span> 454 <span class="hljs-punctuation">}</span> 455 <span class="hljs-punctuation">}</span> 456<span class="hljs-punctuation">}</span></code></pre> 457<pre><code class="language-json"><span class="hljs-punctuation">{</span> 458 <span class="hljs-attr">"dependencies"</span><span class="hljs-punctuation">:</span> <span class="hljs-keyword">true</span><span class="hljs-punctuation">,</span> 459 <span class="hljs-attr">"scopes"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 460 <span class="hljs-attr">""</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 461 <span class="hljs-attr">"cascade"</span><span class="hljs-punctuation">:</span> <span class="hljs-keyword">true</span><span class="hljs-punctuation">,</span> 462 <span class="hljs-attr">"dependencies"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 463 <span class="hljs-attr">"react"</span><span class="hljs-punctuation">:</span> <span class="hljs-string">"./app/node_modules/react/index.js"</span> 464 <span class="hljs-punctuation">}</span> 465 <span class="hljs-punctuation">}</span><span class="hljs-punctuation">,</span> 466 <span class="hljs-attr">"./ssr/"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 467 <span class="hljs-attr">"cascade"</span><span class="hljs-punctuation">:</span> <span class="hljs-keyword">true</span><span class="hljs-punctuation">,</span> 468 <span class="hljs-attr">"dependencies"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> 469 <span class="hljs-attr">"react"</span><span class="hljs-punctuation">:</span> <span class="hljs-string">"./app/node_modules/server-side-react/index.js"</span> 470 <span class="hljs-punctuation">}</span> 471 <span class="hljs-punctuation">}</span> 472 <span class="hljs-punctuation">}</span> 473<span class="hljs-punctuation">}</span></code></pre> 474<p>Import maps assume you can get any resource by default. This means 475<code>"dependencies"</code> at the top level of the policy should be set to <code>true</code>. 476Policies require this to be opt-in since it enables all resources of the 477application cross linkage which doesn't make sense for many scenarios. They also 478assume any given scope has access to any scope above its allowed dependencies; 479all scopes emulating import maps must set <code>"cascade": true</code>.</p> 480<p>Import maps only have a single top level scope for their "imports". So for 481emulating <code>"imports"</code> use the <code>""</code> scope. For emulating <code>"scopes"</code> use the 482<code>"scopes"</code> in a similar manner to how <code>"scopes"</code> works in import maps.</p> 483<p>Caveats: Policies do not use string matching for various finding of scope. They 484do URL traversals. This means things like <code>blob:</code> and <code>data:</code> URLs might not be 485entirely interoperable between the two systems. For example import maps can 486partially match a <code>data:</code> or <code>blob:</code> URL by partitioning the URL on a <code>/</code> 487character, policies intentionally cannot. For <code>blob:</code> URLs import map scopes do 488not adopt the origin of the <code>blob:</code> URL.</p> 489<p>Additionally, import maps only work on <code>import</code> so it may be desirable to add a 490<code>"import"</code> condition to all dependency mappings.</p></section> 491 <!-- API END --> 492 </div> 493 </div> 494 </div> 495 <script> 496 'use strict'; 497 { 498 const kCustomPreference = 'customDarkTheme'; 499 const userSettings = sessionStorage.getItem(kCustomPreference); 500 const themeToggleButton = document.getElementById('theme-toggle-btn'); 501 if (userSettings === null && window.matchMedia) { 502 const mq = window.matchMedia('(prefers-color-scheme: dark)'); 503 if ('onchange' in mq) { 504 function mqChangeListener(e) { 505 document.body.classList.toggle('dark-mode', e.matches); 506 } 507 mq.addEventListener('change', mqChangeListener); 508 if (themeToggleButton) { 509 themeToggleButton.addEventListener('click', function() { 510 mq.removeEventListener('change', mqChangeListener); 511 }, { once: true }); 512 } 513 } 514 if (mq.matches) { 515 document.body.classList.add('dark-mode'); 516 } 517 } else if (userSettings === 'true') { 518 document.body.classList.add('dark-mode'); 519 } 520 if (themeToggleButton) { 521 themeToggleButton.hidden = false; 522 themeToggleButton.addEventListener('click', function() { 523 sessionStorage.setItem( 524 kCustomPreference, 525 document.body.classList.toggle('dark-mode') 526 ); 527 }); 528 } 529 } 530 </script> 531</body> 532</html> 533