mirror of
https://github.com/denoland/deno.git
synced 2024-12-25 00:29:09 -05:00
feat: Add --unsafely-treat-insecure-origin-as-secure flag to disable SSL verification (#11324)
This commit adds "--unsafely-treat-insecure-origin-as-secure" flag that allows to disable SSL verification for all domains, or specific domains if they were passed as an argument to the flag. Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
This commit is contained in:
parent
3ab50b3551
commit
353a4a1af3
22 changed files with 284 additions and 12 deletions
|
@ -223,6 +223,7 @@ impl FileFetcher {
|
||||||
allow_remote: bool,
|
allow_remote: bool,
|
||||||
root_cert_store: Option<RootCertStore>,
|
root_cert_store: Option<RootCertStore>,
|
||||||
blob_store: BlobStore,
|
blob_store: BlobStore,
|
||||||
|
unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>,
|
||||||
) -> Result<Self, AnyError> {
|
) -> Result<Self, AnyError> {
|
||||||
Ok(Self {
|
Ok(Self {
|
||||||
auth_tokens: AuthTokens::new(env::var(DENO_AUTH_TOKENS).ok()),
|
auth_tokens: AuthTokens::new(env::var(DENO_AUTH_TOKENS).ok()),
|
||||||
|
@ -235,6 +236,7 @@ impl FileFetcher {
|
||||||
root_cert_store,
|
root_cert_store,
|
||||||
None,
|
None,
|
||||||
None,
|
None,
|
||||||
|
unsafely_treat_insecure_origin_as_secure,
|
||||||
)?,
|
)?,
|
||||||
blob_store,
|
blob_store,
|
||||||
})
|
})
|
||||||
|
@ -618,6 +620,7 @@ mod tests {
|
||||||
true,
|
true,
|
||||||
None,
|
None,
|
||||||
blob_store.clone(),
|
blob_store.clone(),
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.expect("setup failed");
|
.expect("setup failed");
|
||||||
(file_fetcher, temp_dir, blob_store)
|
(file_fetcher, temp_dir, blob_store)
|
||||||
|
@ -1063,6 +1066,7 @@ mod tests {
|
||||||
true,
|
true,
|
||||||
None,
|
None,
|
||||||
BlobStore::default(),
|
BlobStore::default(),
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.expect("setup failed");
|
.expect("setup failed");
|
||||||
let result = file_fetcher
|
let result = file_fetcher
|
||||||
|
@ -1090,6 +1094,7 @@ mod tests {
|
||||||
true,
|
true,
|
||||||
None,
|
None,
|
||||||
BlobStore::default(),
|
BlobStore::default(),
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.expect("could not create file fetcher");
|
.expect("could not create file fetcher");
|
||||||
let specifier =
|
let specifier =
|
||||||
|
@ -1118,6 +1123,7 @@ mod tests {
|
||||||
true,
|
true,
|
||||||
None,
|
None,
|
||||||
BlobStore::default(),
|
BlobStore::default(),
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.expect("could not create file fetcher");
|
.expect("could not create file fetcher");
|
||||||
let result = file_fetcher_02
|
let result = file_fetcher_02
|
||||||
|
@ -1279,6 +1285,7 @@ mod tests {
|
||||||
true,
|
true,
|
||||||
None,
|
None,
|
||||||
BlobStore::default(),
|
BlobStore::default(),
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.expect("could not create file fetcher");
|
.expect("could not create file fetcher");
|
||||||
let specifier =
|
let specifier =
|
||||||
|
@ -1310,6 +1317,7 @@ mod tests {
|
||||||
true,
|
true,
|
||||||
None,
|
None,
|
||||||
BlobStore::default(),
|
BlobStore::default(),
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.expect("could not create file fetcher");
|
.expect("could not create file fetcher");
|
||||||
let result = file_fetcher_02
|
let result = file_fetcher_02
|
||||||
|
@ -1420,6 +1428,7 @@ mod tests {
|
||||||
false,
|
false,
|
||||||
None,
|
None,
|
||||||
BlobStore::default(),
|
BlobStore::default(),
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.expect("could not create file fetcher");
|
.expect("could not create file fetcher");
|
||||||
let specifier =
|
let specifier =
|
||||||
|
@ -1447,6 +1456,7 @@ mod tests {
|
||||||
true,
|
true,
|
||||||
None,
|
None,
|
||||||
BlobStore::default(),
|
BlobStore::default(),
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.expect("could not create file fetcher");
|
.expect("could not create file fetcher");
|
||||||
let file_fetcher_02 = FileFetcher::new(
|
let file_fetcher_02 = FileFetcher::new(
|
||||||
|
@ -1455,6 +1465,7 @@ mod tests {
|
||||||
true,
|
true,
|
||||||
None,
|
None,
|
||||||
BlobStore::default(),
|
BlobStore::default(),
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.expect("could not create file fetcher");
|
.expect("could not create file fetcher");
|
||||||
let specifier =
|
let specifier =
|
||||||
|
|
89
cli/flags.rs
89
cli/flags.rs
|
@ -164,6 +164,7 @@ pub struct Flags {
|
||||||
pub repl: bool,
|
pub repl: bool,
|
||||||
pub seed: Option<u64>,
|
pub seed: Option<u64>,
|
||||||
pub unstable: bool,
|
pub unstable: bool,
|
||||||
|
pub unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>,
|
||||||
pub v8_flags: Vec<String>,
|
pub v8_flags: Vec<String>,
|
||||||
pub version: bool,
|
pub version: bool,
|
||||||
pub watch: bool,
|
pub watch: bool,
|
||||||
|
@ -216,6 +217,20 @@ impl Flags {
|
||||||
_ => {}
|
_ => {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
match &self.unsafely_treat_insecure_origin_as_secure {
|
||||||
|
Some(ic_allowlist) if ic_allowlist.is_empty() => {
|
||||||
|
args.push("--unsafely-treat-insecure-origin-as-secure".to_string());
|
||||||
|
}
|
||||||
|
Some(ic_allowlist) => {
|
||||||
|
let s = format!(
|
||||||
|
"--unsafely-treat-insecure-origin-as-secure={}",
|
||||||
|
ic_allowlist.join(",")
|
||||||
|
);
|
||||||
|
args.push(s);
|
||||||
|
}
|
||||||
|
_ => {}
|
||||||
|
}
|
||||||
|
|
||||||
match &self.allow_env {
|
match &self.allow_env {
|
||||||
Some(env_allowlist) if env_allowlist.is_empty() => {
|
Some(env_allowlist) if env_allowlist.is_empty() => {
|
||||||
args.push("--allow-env".to_string());
|
args.push("--allow-env".to_string());
|
||||||
|
@ -1221,6 +1236,16 @@ fn permission_args<'a, 'b>(app: App<'a, 'b>) -> App<'a, 'b> {
|
||||||
.help("Allow network access")
|
.help("Allow network access")
|
||||||
.validator(crate::flags_allow_net::validator),
|
.validator(crate::flags_allow_net::validator),
|
||||||
)
|
)
|
||||||
|
.arg(
|
||||||
|
Arg::with_name("unsafely-treat-insecure-origin-as-secure")
|
||||||
|
.long("unsafely-treat-insecure-origin-as-secure")
|
||||||
|
.min_values(0)
|
||||||
|
.takes_value(true)
|
||||||
|
.use_delimiter(true)
|
||||||
|
.require_equals(true)
|
||||||
|
.help("DANGER: Disables verification of SSL certificates")
|
||||||
|
.validator(crate::flags_allow_net::validator),
|
||||||
|
)
|
||||||
.arg(
|
.arg(
|
||||||
Arg::with_name("allow-env")
|
Arg::with_name("allow-env")
|
||||||
.long("allow-env")
|
.long("allow-env")
|
||||||
|
@ -1879,7 +1904,15 @@ fn permission_args_parse(flags: &mut Flags, matches: &clap::ArgMatches) {
|
||||||
crate::flags_allow_net::parse(net_wl.map(ToString::to_string).collect())
|
crate::flags_allow_net::parse(net_wl.map(ToString::to_string).collect())
|
||||||
.unwrap();
|
.unwrap();
|
||||||
flags.allow_net = Some(net_allowlist);
|
flags.allow_net = Some(net_allowlist);
|
||||||
debug!("net allowlist: {:#?}", &flags.allow_net);
|
}
|
||||||
|
|
||||||
|
if let Some(ic_wl) =
|
||||||
|
matches.values_of("unsafely-treat-insecure-origin-as-secure")
|
||||||
|
{
|
||||||
|
let ic_allowlist: Vec<String> =
|
||||||
|
crate::flags_allow_net::parse(ic_wl.map(ToString::to_string).collect())
|
||||||
|
.unwrap();
|
||||||
|
flags.unsafely_treat_insecure_origin_as_secure = Some(ic_allowlist);
|
||||||
}
|
}
|
||||||
|
|
||||||
if let Some(env_wl) = matches.values_of("allow-env") {
|
if let Some(env_wl) = matches.values_of("allow-env") {
|
||||||
|
@ -2723,6 +2756,7 @@ mod tests {
|
||||||
repl: true,
|
repl: true,
|
||||||
subcommand: DenoSubcommand::Repl { eval: None },
|
subcommand: DenoSubcommand::Repl { eval: None },
|
||||||
allow_net: Some(vec![]),
|
allow_net: Some(vec![]),
|
||||||
|
unsafely_treat_insecure_origin_as_secure: None,
|
||||||
allow_env: Some(vec![]),
|
allow_env: Some(vec![]),
|
||||||
allow_run: Some(vec![]),
|
allow_run: Some(vec![]),
|
||||||
allow_read: Some(vec![]),
|
allow_read: Some(vec![]),
|
||||||
|
@ -3198,7 +3232,7 @@ mod tests {
|
||||||
#[test]
|
#[test]
|
||||||
fn install_with_flags() {
|
fn install_with_flags() {
|
||||||
#[rustfmt::skip]
|
#[rustfmt::skip]
|
||||||
let r = flags_from_vec(svec!["deno", "install", "--import-map", "import_map.json", "--no-remote", "--config", "tsconfig.json", "--no-check", "--reload", "--lock", "lock.json", "--lock-write", "--cert", "example.crt", "--cached-only", "--allow-read", "--allow-net", "--v8-flags=--help", "--seed", "1", "--inspect=127.0.0.1:9229", "--name", "file_server", "--root", "/foo", "--force", "https://deno.land/std/http/file_server.ts", "foo", "bar"]);
|
let r = flags_from_vec(svec!["deno", "install", "--import-map", "import_map.json", "--no-remote", "--config", "tsconfig.json", "--no-check", "--unsafely-treat-insecure-origin-as-secure", "--reload", "--lock", "lock.json", "--lock-write", "--cert", "example.crt", "--cached-only", "--allow-read", "--allow-net", "--v8-flags=--help", "--seed", "1", "--inspect=127.0.0.1:9229", "--name", "file_server", "--root", "/foo", "--force", "https://deno.land/std/http/file_server.ts", "foo", "bar"]);
|
||||||
assert_eq!(
|
assert_eq!(
|
||||||
r.unwrap(),
|
r.unwrap(),
|
||||||
Flags {
|
Flags {
|
||||||
|
@ -3222,6 +3256,7 @@ mod tests {
|
||||||
seed: Some(1),
|
seed: Some(1),
|
||||||
inspect: Some("127.0.0.1:9229".parse().unwrap()),
|
inspect: Some("127.0.0.1:9229".parse().unwrap()),
|
||||||
allow_net: Some(vec![]),
|
allow_net: Some(vec![]),
|
||||||
|
unsafely_treat_insecure_origin_as_secure: Some(vec![]),
|
||||||
allow_read: Some(vec![]),
|
allow_read: Some(vec![]),
|
||||||
..Flags::default()
|
..Flags::default()
|
||||||
}
|
}
|
||||||
|
@ -3366,6 +3401,53 @@ mod tests {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn unsafely_treat_insecure_origin_as_secure() {
|
||||||
|
let r = flags_from_vec(svec![
|
||||||
|
"deno",
|
||||||
|
"run",
|
||||||
|
"--unsafely-treat-insecure-origin-as-secure",
|
||||||
|
"script.ts"
|
||||||
|
]);
|
||||||
|
assert_eq!(
|
||||||
|
r.unwrap(),
|
||||||
|
Flags {
|
||||||
|
subcommand: DenoSubcommand::Run {
|
||||||
|
script: "script.ts".to_string(),
|
||||||
|
},
|
||||||
|
unsafely_treat_insecure_origin_as_secure: Some(vec![]),
|
||||||
|
..Flags::default()
|
||||||
|
}
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn unsafely_treat_insecure_origin_as_secure_with_ipv6_address() {
|
||||||
|
let r = flags_from_vec(svec![
|
||||||
|
"deno",
|
||||||
|
"run",
|
||||||
|
"--unsafely-treat-insecure-origin-as-secure=deno.land,localhost,::,127.0.0.1,[::1],1.2.3.4",
|
||||||
|
"script.ts"
|
||||||
|
]);
|
||||||
|
assert_eq!(
|
||||||
|
r.unwrap(),
|
||||||
|
Flags {
|
||||||
|
subcommand: DenoSubcommand::Run {
|
||||||
|
script: "script.ts".to_string(),
|
||||||
|
},
|
||||||
|
unsafely_treat_insecure_origin_as_secure: Some(svec![
|
||||||
|
"deno.land",
|
||||||
|
"localhost",
|
||||||
|
"::",
|
||||||
|
"127.0.0.1",
|
||||||
|
"[::1]",
|
||||||
|
"1.2.3.4"
|
||||||
|
]),
|
||||||
|
..Flags::default()
|
||||||
|
}
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn no_remote() {
|
fn no_remote() {
|
||||||
let r = flags_from_vec(svec!["deno", "run", "--no-remote", "script.ts"]);
|
let r = flags_from_vec(svec!["deno", "run", "--no-remote", "script.ts"]);
|
||||||
|
@ -3845,7 +3927,7 @@ mod tests {
|
||||||
#[test]
|
#[test]
|
||||||
fn compile_with_flags() {
|
fn compile_with_flags() {
|
||||||
#[rustfmt::skip]
|
#[rustfmt::skip]
|
||||||
let r = flags_from_vec(svec!["deno", "compile", "--import-map", "import_map.json", "--no-remote", "--config", "tsconfig.json", "--no-check", "--reload", "--lock", "lock.json", "--lock-write", "--cert", "example.crt", "--cached-only", "--location", "https:foo", "--allow-read", "--allow-net", "--v8-flags=--help", "--seed", "1", "--output", "colors", "https://deno.land/std/examples/colors.ts", "foo", "bar"]);
|
let r = flags_from_vec(svec!["deno", "compile", "--import-map", "import_map.json", "--no-remote", "--config", "tsconfig.json", "--no-check", "--unsafely-treat-insecure-origin-as-secure", "--reload", "--lock", "lock.json", "--lock-write", "--cert", "example.crt", "--cached-only", "--location", "https:foo", "--allow-read", "--allow-net", "--v8-flags=--help", "--seed", "1", "--output", "colors", "https://deno.land/std/examples/colors.ts", "foo", "bar"]);
|
||||||
assert_eq!(
|
assert_eq!(
|
||||||
r.unwrap(),
|
r.unwrap(),
|
||||||
Flags {
|
Flags {
|
||||||
|
@ -3866,6 +3948,7 @@ mod tests {
|
||||||
cached_only: true,
|
cached_only: true,
|
||||||
location: Some(Url::parse("https://foo/").unwrap()),
|
location: Some(Url::parse("https://foo/").unwrap()),
|
||||||
allow_read: Some(vec![]),
|
allow_read: Some(vec![]),
|
||||||
|
unsafely_treat_insecure_origin_as_secure: Some(vec![]),
|
||||||
allow_net: Some(vec![]),
|
allow_net: Some(vec![]),
|
||||||
v8_flags: svec!["--help", "--random-seed=1"],
|
v8_flags: svec!["--help", "--random-seed=1"],
|
||||||
seed: Some(1),
|
seed: Some(1),
|
||||||
|
|
|
@ -145,7 +145,8 @@ mod tests {
|
||||||
use std::fs::read;
|
use std::fs::read;
|
||||||
|
|
||||||
fn create_test_client(ca_data: Option<Vec<u8>>) -> Client {
|
fn create_test_client(ca_data: Option<Vec<u8>>) -> Client {
|
||||||
create_http_client("test_client".to_string(), None, ca_data, None).unwrap()
|
create_http_client("test_client".to_string(), None, ca_data, None, None)
|
||||||
|
.unwrap()
|
||||||
}
|
}
|
||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
|
@ -347,6 +348,7 @@ mod tests {
|
||||||
.unwrap(),
|
.unwrap(),
|
||||||
),
|
),
|
||||||
None,
|
None,
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let result = fetch_once(FetchOnceArgs {
|
let result = fetch_once(FetchOnceArgs {
|
||||||
|
@ -376,6 +378,7 @@ mod tests {
|
||||||
None, // This will load mozilla certs by default
|
None, // This will load mozilla certs by default
|
||||||
None,
|
None,
|
||||||
None,
|
None,
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
||||||
|
@ -407,6 +410,7 @@ mod tests {
|
||||||
Some(RootCertStore::empty()), // no certs loaded at all
|
Some(RootCertStore::empty()), // no certs loaded at all
|
||||||
None,
|
None,
|
||||||
None,
|
None,
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
||||||
|
@ -445,6 +449,7 @@ mod tests {
|
||||||
.unwrap(),
|
.unwrap(),
|
||||||
),
|
),
|
||||||
None,
|
None,
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let result = fetch_once(FetchOnceArgs {
|
let result = fetch_once(FetchOnceArgs {
|
||||||
|
@ -484,6 +489,7 @@ mod tests {
|
||||||
.unwrap(),
|
.unwrap(),
|
||||||
),
|
),
|
||||||
None,
|
None,
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let result = fetch_once(FetchOnceArgs {
|
let result = fetch_once(FetchOnceArgs {
|
||||||
|
@ -537,6 +543,7 @@ mod tests {
|
||||||
.unwrap(),
|
.unwrap(),
|
||||||
),
|
),
|
||||||
None,
|
None,
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
let result = fetch_once(FetchOnceArgs {
|
let result = fetch_once(FetchOnceArgs {
|
||||||
|
|
|
@ -266,6 +266,7 @@ impl Default for ModuleRegistry {
|
||||||
true,
|
true,
|
||||||
None,
|
None,
|
||||||
BlobStore::default(),
|
BlobStore::default(),
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
||||||
|
@ -285,6 +286,7 @@ impl ModuleRegistry {
|
||||||
true,
|
true,
|
||||||
None,
|
None,
|
||||||
BlobStore::default(),
|
BlobStore::default(),
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.context("Error creating file fetcher in module registry.")
|
.context("Error creating file fetcher in module registry.")
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
|
@ -109,6 +109,10 @@ fn create_web_worker_callback(
|
||||||
.log_level
|
.log_level
|
||||||
.map_or(false, |l| l == log::Level::Debug),
|
.map_or(false, |l| l == log::Level::Debug),
|
||||||
unstable: program_state.flags.unstable,
|
unstable: program_state.flags.unstable,
|
||||||
|
unsafely_treat_insecure_origin_as_secure: program_state
|
||||||
|
.flags
|
||||||
|
.unsafely_treat_insecure_origin_as_secure
|
||||||
|
.clone(),
|
||||||
root_cert_store: program_state.root_cert_store.clone(),
|
root_cert_store: program_state.root_cert_store.clone(),
|
||||||
user_agent: version::get_user_agent(),
|
user_agent: version::get_user_agent(),
|
||||||
seed: program_state.flags.seed,
|
seed: program_state.flags.seed,
|
||||||
|
@ -189,6 +193,10 @@ pub fn create_main_worker(
|
||||||
.log_level
|
.log_level
|
||||||
.map_or(false, |l| l == log::Level::Debug),
|
.map_or(false, |l| l == log::Level::Debug),
|
||||||
unstable: program_state.flags.unstable,
|
unstable: program_state.flags.unstable,
|
||||||
|
unsafely_treat_insecure_origin_as_secure: program_state
|
||||||
|
.flags
|
||||||
|
.unsafely_treat_insecure_origin_as_secure
|
||||||
|
.clone(),
|
||||||
root_cert_store: program_state.root_cert_store.clone(),
|
root_cert_store: program_state.root_cert_store.clone(),
|
||||||
user_agent: version::get_user_agent(),
|
user_agent: version::get_user_agent(),
|
||||||
seed: program_state.flags.seed,
|
seed: program_state.flags.seed,
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
// Copyright 2018-2021 the Deno authors. All rights reserved. MIT license.
|
// Copyright 2018-2021 the Deno authors. All rights reserved. MIT license.
|
||||||
|
|
||||||
|
use crate::colors;
|
||||||
use crate::config_file::ConfigFile;
|
use crate::config_file::ConfigFile;
|
||||||
use crate::deno_dir;
|
use crate::deno_dir;
|
||||||
use crate::file_fetcher::CacheSetting;
|
use crate::file_fetcher::CacheSetting;
|
||||||
|
@ -117,6 +118,21 @@ impl ProgramState {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if let Some(insecure_allowlist) =
|
||||||
|
flags.unsafely_treat_insecure_origin_as_secure.as_ref()
|
||||||
|
{
|
||||||
|
let domains = if insecure_allowlist.is_empty() {
|
||||||
|
"for all domains".to_string()
|
||||||
|
} else {
|
||||||
|
format!("for: {}", insecure_allowlist.join(", "))
|
||||||
|
};
|
||||||
|
let msg = format!(
|
||||||
|
"DANGER: SSL ceritificate validation is disabled {}",
|
||||||
|
domains
|
||||||
|
);
|
||||||
|
eprintln!("{}", colors::yellow(msg));
|
||||||
|
}
|
||||||
|
|
||||||
let cache_usage = if flags.cached_only {
|
let cache_usage = if flags.cached_only {
|
||||||
CacheSetting::Only
|
CacheSetting::Only
|
||||||
} else if !flags.cache_blocklist.is_empty() {
|
} else if !flags.cache_blocklist.is_empty() {
|
||||||
|
@ -137,6 +153,7 @@ impl ProgramState {
|
||||||
!flags.no_remote,
|
!flags.no_remote,
|
||||||
Some(root_cert_store.clone()),
|
Some(root_cert_store.clone()),
|
||||||
blob_store.clone(),
|
blob_store.clone(),
|
||||||
|
flags.unsafely_treat_insecure_origin_as_secure.clone(),
|
||||||
)?;
|
)?;
|
||||||
|
|
||||||
let lockfile = if let Some(filename) = &flags.lock {
|
let lockfile = if let Some(filename) = &flags.lock {
|
||||||
|
|
|
@ -598,6 +598,7 @@ pub mod tests {
|
||||||
true,
|
true,
|
||||||
None,
|
None,
|
||||||
BlobStore::default(),
|
BlobStore::default(),
|
||||||
|
None,
|
||||||
)
|
)
|
||||||
.expect("could not setup");
|
.expect("could not setup");
|
||||||
let disk_cache = deno_dir.gen_cache;
|
let disk_cache = deno_dir.gen_cache;
|
||||||
|
|
|
@ -57,6 +57,7 @@ pub struct Metadata {
|
||||||
pub log_level: Option<Level>,
|
pub log_level: Option<Level>,
|
||||||
pub ca_stores: Option<Vec<String>>,
|
pub ca_stores: Option<Vec<String>>,
|
||||||
pub ca_data: Option<Vec<u8>>,
|
pub ca_data: Option<Vec<u8>>,
|
||||||
|
pub unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub const MAGIC_TRAILER: &[u8; 8] = b"d3n0l4nd";
|
pub const MAGIC_TRAILER: &[u8; 8] = b"d3n0l4nd";
|
||||||
|
@ -252,6 +253,8 @@ pub async fn run(
|
||||||
debug_flag: metadata.log_level.map_or(false, |l| l == log::Level::Debug),
|
debug_flag: metadata.log_level.map_or(false, |l| l == log::Level::Debug),
|
||||||
user_agent: version::get_user_agent(),
|
user_agent: version::get_user_agent(),
|
||||||
unstable: metadata.unstable,
|
unstable: metadata.unstable,
|
||||||
|
unsafely_treat_insecure_origin_as_secure: metadata
|
||||||
|
.unsafely_treat_insecure_origin_as_secure,
|
||||||
root_cert_store: Some(root_cert_store),
|
root_cert_store: Some(root_cert_store),
|
||||||
seed: metadata.seed,
|
seed: metadata.seed,
|
||||||
js_error_create_fn: None,
|
js_error_create_fn: None,
|
||||||
|
|
2
cli/tests/cafile_ts_fetch_unsafe_ssl.ts.out
Normal file
2
cli/tests/cafile_ts_fetch_unsafe_ssl.ts.out
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
DANGER: SSL ceritificate validation is disabled for all domains
|
||||||
|
Hello
|
3
cli/tests/cafile_url_imports_unsafe_ssl.ts.out
Normal file
3
cli/tests/cafile_url_imports_unsafe_ssl.ts.out
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
DANGER: SSL ceritificate validation is disabled for: localhost
|
||||||
|
Hello
|
||||||
|
success
|
|
@ -474,6 +474,19 @@ fn broken_stdout() {
|
||||||
// http_server: true,
|
// http_server: true,
|
||||||
// });
|
// });
|
||||||
|
|
||||||
|
itest!(cafile_url_imports_unsafe_ssl {
|
||||||
|
args: "run --quiet --reload --unsafely-treat-insecure-origin-as-secure=localhost cafile_url_imports.ts",
|
||||||
|
output: "cafile_url_imports_unsafe_ssl.ts.out",
|
||||||
|
http_server: true,
|
||||||
|
});
|
||||||
|
|
||||||
|
itest!(cafile_ts_fetch_unsafe_ssl {
|
||||||
|
args:
|
||||||
|
"run --quiet --reload --allow-net --unsafely-treat-insecure-origin-as-secure cafile_ts_fetch.ts",
|
||||||
|
output: "cafile_ts_fetch_unsafe_ssl.ts.out",
|
||||||
|
http_server: true,
|
||||||
|
});
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
#[ignore]
|
#[ignore]
|
||||||
fn cafile_env_fetch() {
|
fn cafile_env_fetch() {
|
||||||
|
|
|
@ -99,6 +99,9 @@ pub fn create_standalone_binary(
|
||||||
location: flags.location.clone(),
|
location: flags.location.clone(),
|
||||||
permissions: flags.clone().into(),
|
permissions: flags.clone().into(),
|
||||||
v8_flags: flags.v8_flags.clone(),
|
v8_flags: flags.v8_flags.clone(),
|
||||||
|
unsafely_treat_insecure_origin_as_secure: flags
|
||||||
|
.unsafely_treat_insecure_origin_as_secure
|
||||||
|
.clone(),
|
||||||
log_level: flags.log_level,
|
log_level: flags.log_level,
|
||||||
ca_stores: flags.ca_stores,
|
ca_stores: flags.ca_stores,
|
||||||
ca_data,
|
ca_data,
|
||||||
|
@ -223,6 +226,8 @@ pub fn compile_to_runtime_flags(
|
||||||
lock: None,
|
lock: None,
|
||||||
log_level: flags.log_level,
|
log_level: flags.log_level,
|
||||||
no_check: false,
|
no_check: false,
|
||||||
|
unsafely_treat_insecure_origin_as_secure: flags
|
||||||
|
.unsafely_treat_insecure_origin_as_secure,
|
||||||
no_remote: false,
|
no_remote: false,
|
||||||
prompt: flags.prompt,
|
prompt: flags.prompt,
|
||||||
reload: false,
|
reload: false,
|
||||||
|
|
|
@ -60,6 +60,7 @@ pub fn init<P: FetchPermissions + 'static>(
|
||||||
root_cert_store: Option<RootCertStore>,
|
root_cert_store: Option<RootCertStore>,
|
||||||
proxy: Option<Proxy>,
|
proxy: Option<Proxy>,
|
||||||
request_builder_hook: Option<fn(RequestBuilder) -> RequestBuilder>,
|
request_builder_hook: Option<fn(RequestBuilder) -> RequestBuilder>,
|
||||||
|
unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>,
|
||||||
) -> Extension {
|
) -> Extension {
|
||||||
Extension::builder()
|
Extension::builder()
|
||||||
.js(include_js_files!(
|
.js(include_js_files!(
|
||||||
|
@ -87,6 +88,7 @@ pub fn init<P: FetchPermissions + 'static>(
|
||||||
root_cert_store.clone(),
|
root_cert_store.clone(),
|
||||||
None,
|
None,
|
||||||
proxy.clone(),
|
proxy.clone(),
|
||||||
|
unsafely_treat_insecure_origin_as_secure.clone(),
|
||||||
)
|
)
|
||||||
.unwrap()
|
.unwrap()
|
||||||
});
|
});
|
||||||
|
@ -95,6 +97,8 @@ pub fn init<P: FetchPermissions + 'static>(
|
||||||
root_cert_store: root_cert_store.clone(),
|
root_cert_store: root_cert_store.clone(),
|
||||||
proxy: proxy.clone(),
|
proxy: proxy.clone(),
|
||||||
request_builder_hook,
|
request_builder_hook,
|
||||||
|
unsafely_treat_insecure_origin_as_secure:
|
||||||
|
unsafely_treat_insecure_origin_as_secure.clone(),
|
||||||
});
|
});
|
||||||
Ok(())
|
Ok(())
|
||||||
})
|
})
|
||||||
|
@ -106,6 +110,7 @@ pub struct HttpClientDefaults {
|
||||||
pub root_cert_store: Option<RootCertStore>,
|
pub root_cert_store: Option<RootCertStore>,
|
||||||
pub proxy: Option<Proxy>,
|
pub proxy: Option<Proxy>,
|
||||||
pub request_builder_hook: Option<fn(RequestBuilder) -> RequestBuilder>,
|
pub request_builder_hook: Option<fn(RequestBuilder) -> RequestBuilder>,
|
||||||
|
pub unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub trait FetchPermissions {
|
pub trait FetchPermissions {
|
||||||
|
@ -532,11 +537,13 @@ where
|
||||||
let defaults = state.borrow::<HttpClientDefaults>();
|
let defaults = state.borrow::<HttpClientDefaults>();
|
||||||
let cert_data =
|
let cert_data =
|
||||||
get_cert_data(args.ca_file.as_deref(), args.ca_data.as_deref())?;
|
get_cert_data(args.ca_file.as_deref(), args.ca_data.as_deref())?;
|
||||||
|
|
||||||
let client = create_http_client(
|
let client = create_http_client(
|
||||||
defaults.user_agent.clone(),
|
defaults.user_agent.clone(),
|
||||||
defaults.root_cert_store.clone(),
|
defaults.root_cert_store.clone(),
|
||||||
cert_data,
|
cert_data,
|
||||||
args.proxy,
|
args.proxy,
|
||||||
|
defaults.unsafely_treat_insecure_origin_as_secure.clone(),
|
||||||
)
|
)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
||||||
|
|
|
@ -94,9 +94,16 @@ pub struct DefaultTlsOptions {
|
||||||
pub root_cert_store: Option<RootCertStore>,
|
pub root_cert_store: Option<RootCertStore>,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// `UnsafelyTreatInsecureOriginAsSecure` is a wrapper struct so it can be placed inside `GothamState`;
|
||||||
|
/// using type alias for a `Option<Vec<String>>` could work, but there's a high chance
|
||||||
|
/// that there might be another type alias pointing to a `Option<Vec<String>>`, which
|
||||||
|
/// would override previously used alias.
|
||||||
|
pub struct UnsafelyTreatInsecureOriginAsSecure(Option<Vec<String>>);
|
||||||
|
|
||||||
pub fn init<P: NetPermissions + 'static>(
|
pub fn init<P: NetPermissions + 'static>(
|
||||||
root_cert_store: Option<RootCertStore>,
|
root_cert_store: Option<RootCertStore>,
|
||||||
unstable: bool,
|
unstable: bool,
|
||||||
|
unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>,
|
||||||
) -> Extension {
|
) -> Extension {
|
||||||
let mut ops_to_register = vec![];
|
let mut ops_to_register = vec![];
|
||||||
ops_to_register.extend(io::init());
|
ops_to_register.extend(io::init());
|
||||||
|
@ -115,6 +122,9 @@ pub fn init<P: NetPermissions + 'static>(
|
||||||
root_cert_store: root_cert_store.clone(),
|
root_cert_store: root_cert_store.clone(),
|
||||||
});
|
});
|
||||||
state.put(UnstableChecker { unstable });
|
state.put(UnstableChecker { unstable });
|
||||||
|
state.put(UnsafelyTreatInsecureOriginAsSecure(
|
||||||
|
unsafely_treat_insecure_origin_as_secure.clone(),
|
||||||
|
));
|
||||||
Ok(())
|
Ok(())
|
||||||
})
|
})
|
||||||
.build()
|
.build()
|
||||||
|
|
|
@ -9,6 +9,7 @@ use crate::resolve_addr::resolve_addr;
|
||||||
use crate::resolve_addr::resolve_addr_sync;
|
use crate::resolve_addr::resolve_addr_sync;
|
||||||
use crate::DefaultTlsOptions;
|
use crate::DefaultTlsOptions;
|
||||||
use crate::NetPermissions;
|
use crate::NetPermissions;
|
||||||
|
use crate::UnsafelyTreatInsecureOriginAsSecure;
|
||||||
use deno_core::error::bad_resource;
|
use deno_core::error::bad_resource;
|
||||||
use deno_core::error::bad_resource_id;
|
use deno_core::error::bad_resource_id;
|
||||||
use deno_core::error::custom_error;
|
use deno_core::error::custom_error;
|
||||||
|
@ -720,8 +721,8 @@ where
|
||||||
let local_addr = tcp_stream.local_addr()?;
|
let local_addr = tcp_stream.local_addr()?;
|
||||||
let remote_addr = tcp_stream.peer_addr()?;
|
let remote_addr = tcp_stream.peer_addr()?;
|
||||||
|
|
||||||
let tls_config = Arc::new(create_client_config(root_cert_store, ca_data)?);
|
let tls_config =
|
||||||
|
Arc::new(create_client_config(root_cert_store, ca_data, None)?);
|
||||||
let tls_stream =
|
let tls_stream =
|
||||||
TlsStream::new_client_side(tcp_stream, &tls_config, hostname_dns);
|
TlsStream::new_client_side(tcp_stream, &tls_config, hostname_dns);
|
||||||
|
|
||||||
|
@ -760,6 +761,11 @@ where
|
||||||
};
|
};
|
||||||
let port = args.port;
|
let port = args.port;
|
||||||
let cert_file = args.cert_file.as_deref();
|
let cert_file = args.cert_file.as_deref();
|
||||||
|
let unsafely_treat_insecure_origin_as_secure = state
|
||||||
|
.borrow()
|
||||||
|
.borrow::<UnsafelyTreatInsecureOriginAsSecure>()
|
||||||
|
.0
|
||||||
|
.clone();
|
||||||
|
|
||||||
if args.cert_chain.is_some() {
|
if args.cert_chain.is_some() {
|
||||||
super::check_unstable2(&state, "ConnectTlsOptions.certChain");
|
super::check_unstable2(&state, "ConnectTlsOptions.certChain");
|
||||||
|
@ -801,8 +807,11 @@ where
|
||||||
let tcp_stream = TcpStream::connect(connect_addr).await?;
|
let tcp_stream = TcpStream::connect(connect_addr).await?;
|
||||||
let local_addr = tcp_stream.local_addr()?;
|
let local_addr = tcp_stream.local_addr()?;
|
||||||
let remote_addr = tcp_stream.peer_addr()?;
|
let remote_addr = tcp_stream.peer_addr()?;
|
||||||
|
let mut tls_config = create_client_config(
|
||||||
let mut tls_config = create_client_config(root_cert_store, ca_data)?;
|
root_cert_store,
|
||||||
|
ca_data,
|
||||||
|
unsafely_treat_insecure_origin_as_secure,
|
||||||
|
)?;
|
||||||
|
|
||||||
if args.cert_chain.is_some() || args.private_key.is_some() {
|
if args.cert_chain.is_some() || args.private_key.is_some() {
|
||||||
let cert_chain = args
|
let cert_chain = args
|
||||||
|
|
|
@ -17,7 +17,7 @@ path = "lib.rs"
|
||||||
deno_core = { version = "0.95.0", path = "../../core" }
|
deno_core = { version = "0.95.0", path = "../../core" }
|
||||||
lazy_static = "1.4.0"
|
lazy_static = "1.4.0"
|
||||||
reqwest = { version = "0.11.4", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli"] }
|
reqwest = { version = "0.11.4", default-features = false, features = ["rustls-tls", "stream", "gzip", "brotli"] }
|
||||||
rustls = "0.19.0"
|
rustls = { version = "0.19.1", features = ["dangerous_configuration"] }
|
||||||
rustls-native-certs = "0.5.0"
|
rustls-native-certs = "0.5.0"
|
||||||
serde = { version = "1.0.126", features = ["derive"] }
|
serde = { version = "1.0.126", features = ["derive"] }
|
||||||
webpki = "0.21.4"
|
webpki = "0.21.4"
|
||||||
|
|
|
@ -16,20 +16,65 @@ use reqwest::header::HeaderMap;
|
||||||
use reqwest::header::USER_AGENT;
|
use reqwest::header::USER_AGENT;
|
||||||
use reqwest::redirect::Policy;
|
use reqwest::redirect::Policy;
|
||||||
use reqwest::Client;
|
use reqwest::Client;
|
||||||
|
use rustls::internal::msgs::handshake::DigitallySignedStruct;
|
||||||
|
use rustls::Certificate;
|
||||||
use rustls::ClientConfig;
|
use rustls::ClientConfig;
|
||||||
|
use rustls::HandshakeSignatureValid;
|
||||||
use rustls::RootCertStore;
|
use rustls::RootCertStore;
|
||||||
|
use rustls::ServerCertVerified;
|
||||||
|
use rustls::ServerCertVerifier;
|
||||||
use rustls::StoresClientSessions;
|
use rustls::StoresClientSessions;
|
||||||
|
use rustls::TLSError;
|
||||||
use serde::Deserialize;
|
use serde::Deserialize;
|
||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
use std::io::BufReader;
|
use std::io::BufReader;
|
||||||
use std::io::Cursor;
|
use std::io::Cursor;
|
||||||
use std::sync::Arc;
|
use std::sync::Arc;
|
||||||
|
use webpki::DNSNameRef;
|
||||||
|
|
||||||
/// This extension has no runtime apis, it only exports some shared native functions.
|
/// This extension has no runtime apis, it only exports some shared native functions.
|
||||||
pub fn init() -> Extension {
|
pub fn init() -> Extension {
|
||||||
Extension::builder().build()
|
Extension::builder().build()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub struct NoCertificateVerification(pub Vec<String>);
|
||||||
|
|
||||||
|
impl ServerCertVerifier for NoCertificateVerification {
|
||||||
|
fn verify_server_cert(
|
||||||
|
&self,
|
||||||
|
_roots: &RootCertStore,
|
||||||
|
_presented_certs: &[Certificate],
|
||||||
|
dns_name: DNSNameRef<'_>,
|
||||||
|
_ocsp: &[u8],
|
||||||
|
) -> Result<ServerCertVerified, TLSError> {
|
||||||
|
let dns_name: &str = dns_name.into();
|
||||||
|
let dns_name: String = dns_name.to_owned();
|
||||||
|
if self.0.is_empty() || self.0.contains(&dns_name) {
|
||||||
|
Ok(ServerCertVerified::assertion())
|
||||||
|
} else {
|
||||||
|
Err(TLSError::General(dns_name))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn verify_tls12_signature(
|
||||||
|
&self,
|
||||||
|
_message: &[u8],
|
||||||
|
_cert: &Certificate,
|
||||||
|
_dss: &DigitallySignedStruct,
|
||||||
|
) -> Result<HandshakeSignatureValid, TLSError> {
|
||||||
|
Ok(HandshakeSignatureValid::assertion())
|
||||||
|
}
|
||||||
|
|
||||||
|
fn verify_tls13_signature(
|
||||||
|
&self,
|
||||||
|
_message: &[u8],
|
||||||
|
_cert: &Certificate,
|
||||||
|
_dss: &DigitallySignedStruct,
|
||||||
|
) -> Result<HandshakeSignatureValid, TLSError> {
|
||||||
|
Ok(HandshakeSignatureValid::assertion())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[derive(Deserialize, Default, Debug, Clone)]
|
#[derive(Deserialize, Default, Debug, Clone)]
|
||||||
#[serde(rename_all = "camelCase")]
|
#[serde(rename_all = "camelCase")]
|
||||||
#[serde(default)]
|
#[serde(default)]
|
||||||
|
@ -80,6 +125,7 @@ pub fn create_default_root_cert_store() -> RootCertStore {
|
||||||
pub fn create_client_config(
|
pub fn create_client_config(
|
||||||
root_cert_store: Option<RootCertStore>,
|
root_cert_store: Option<RootCertStore>,
|
||||||
ca_data: Option<Vec<u8>>,
|
ca_data: Option<Vec<u8>>,
|
||||||
|
unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>,
|
||||||
) -> Result<ClientConfig, AnyError> {
|
) -> Result<ClientConfig, AnyError> {
|
||||||
let mut tls_config = ClientConfig::new();
|
let mut tls_config = ClientConfig::new();
|
||||||
tls_config.set_persistence(CLIENT_SESSION_MEMORY_CACHE.clone());
|
tls_config.set_persistence(CLIENT_SESSION_MEMORY_CACHE.clone());
|
||||||
|
@ -95,6 +141,12 @@ pub fn create_client_config(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if let Some(ic_allowlist) = unsafely_treat_insecure_origin_as_secure {
|
||||||
|
tls_config.dangerous().set_certificate_verifier(Arc::new(
|
||||||
|
NoCertificateVerification(ic_allowlist),
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
Ok(tls_config)
|
Ok(tls_config)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -105,8 +157,13 @@ pub fn create_http_client(
|
||||||
root_cert_store: Option<RootCertStore>,
|
root_cert_store: Option<RootCertStore>,
|
||||||
ca_data: Option<Vec<u8>>,
|
ca_data: Option<Vec<u8>>,
|
||||||
proxy: Option<Proxy>,
|
proxy: Option<Proxy>,
|
||||||
|
unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>,
|
||||||
) -> Result<Client, AnyError> {
|
) -> Result<Client, AnyError> {
|
||||||
let tls_config = create_client_config(root_cert_store, ca_data)?;
|
let tls_config = create_client_config(
|
||||||
|
root_cert_store,
|
||||||
|
ca_data,
|
||||||
|
unsafely_treat_insecure_origin_as_secure,
|
||||||
|
)?;
|
||||||
let mut headers = HeaderMap::new();
|
let mut headers = HeaderMap::new();
|
||||||
headers.insert(USER_AGENT, user_agent.parse().unwrap());
|
headers.insert(USER_AGENT, user_agent.parse().unwrap());
|
||||||
let mut builder = Client::builder()
|
let mut builder = Client::builder()
|
||||||
|
|
|
@ -54,6 +54,12 @@ pub trait WebSocketPermissions {
|
||||||
fn check_net_url(&mut self, _url: &url::Url) -> Result<(), AnyError>;
|
fn check_net_url(&mut self, _url: &url::Url) -> Result<(), AnyError>;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// `UnsafelyTreatInsecureOriginAsSecure` is a wrapper struct so it can be placed inside `GothamState`;
|
||||||
|
/// using type alias for a `Option<Vec<String>>` could work, but there's a high chance
|
||||||
|
/// that there might be another type alias pointing to a `Option<Vec<String>>`, which
|
||||||
|
/// would override previously used alias.
|
||||||
|
pub struct UnsafelyTreatInsecureOriginAsSecure(Option<Vec<String>>);
|
||||||
|
|
||||||
/// For use with `op_websocket_*` when the user does not want permissions.
|
/// For use with `op_websocket_*` when the user does not want permissions.
|
||||||
pub struct NoWebSocketPermissions;
|
pub struct NoWebSocketPermissions;
|
||||||
|
|
||||||
|
@ -197,6 +203,11 @@ where
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
let unsafely_treat_insecure_origin_as_secure = state
|
||||||
|
.borrow()
|
||||||
|
.borrow::<UnsafelyTreatInsecureOriginAsSecure>()
|
||||||
|
.0
|
||||||
|
.clone();
|
||||||
let root_cert_store = state.borrow().borrow::<WsRootStore>().0.clone();
|
let root_cert_store = state.borrow().borrow::<WsRootStore>().0.clone();
|
||||||
let user_agent = state.borrow().borrow::<WsUserAgent>().0.clone();
|
let user_agent = state.borrow().borrow::<WsUserAgent>().0.clone();
|
||||||
let uri: Uri = args.url.parse()?;
|
let uri: Uri = args.url.parse()?;
|
||||||
|
@ -221,7 +232,11 @@ where
|
||||||
let socket: MaybeTlsStream<TcpStream> = match uri.scheme_str() {
|
let socket: MaybeTlsStream<TcpStream> = match uri.scheme_str() {
|
||||||
Some("ws") => MaybeTlsStream::Plain(tcp_socket),
|
Some("ws") => MaybeTlsStream::Plain(tcp_socket),
|
||||||
Some("wss") => {
|
Some("wss") => {
|
||||||
let tls_config = create_client_config(root_cert_store, None)?;
|
let tls_config = create_client_config(
|
||||||
|
root_cert_store,
|
||||||
|
None,
|
||||||
|
unsafely_treat_insecure_origin_as_secure,
|
||||||
|
)?;
|
||||||
let tls_connector = TlsConnector::from(Arc::new(tls_config));
|
let tls_connector = TlsConnector::from(Arc::new(tls_config));
|
||||||
let dnsname = DNSNameRef::try_from_ascii_str(domain)
|
let dnsname = DNSNameRef::try_from_ascii_str(domain)
|
||||||
.map_err(|_| invalid_hostname(domain))?;
|
.map_err(|_| invalid_hostname(domain))?;
|
||||||
|
@ -377,6 +392,7 @@ pub async fn op_ws_next_event(
|
||||||
pub fn init<P: WebSocketPermissions + 'static>(
|
pub fn init<P: WebSocketPermissions + 'static>(
|
||||||
user_agent: String,
|
user_agent: String,
|
||||||
root_cert_store: Option<RootCertStore>,
|
root_cert_store: Option<RootCertStore>,
|
||||||
|
unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>,
|
||||||
) -> Extension {
|
) -> Extension {
|
||||||
Extension::builder()
|
Extension::builder()
|
||||||
.js(include_js_files!(
|
.js(include_js_files!(
|
||||||
|
@ -395,6 +411,9 @@ pub fn init<P: WebSocketPermissions + 'static>(
|
||||||
])
|
])
|
||||||
.state(move |state| {
|
.state(move |state| {
|
||||||
state.put::<WsUserAgent>(WsUserAgent(user_agent.clone()));
|
state.put::<WsUserAgent>(WsUserAgent(user_agent.clone()));
|
||||||
|
state.put(UnsafelyTreatInsecureOriginAsSecure(
|
||||||
|
unsafely_treat_insecure_origin_as_secure.clone(),
|
||||||
|
));
|
||||||
state.put::<WsRootStore>(WsRootStore(root_cert_store.clone()));
|
state.put::<WsRootStore>(WsRootStore(root_cert_store.clone()));
|
||||||
Ok(())
|
Ok(())
|
||||||
})
|
})
|
||||||
|
|
|
@ -48,10 +48,12 @@ fn create_runtime_snapshot(snapshot_path: &Path, files: Vec<PathBuf>) {
|
||||||
None,
|
None,
|
||||||
None,
|
None,
|
||||||
None,
|
None,
|
||||||
|
None,
|
||||||
),
|
),
|
||||||
deno_websocket::init::<deno_websocket::NoWebSocketPermissions>(
|
deno_websocket::init::<deno_websocket::NoWebSocketPermissions>(
|
||||||
"".to_owned(),
|
"".to_owned(),
|
||||||
None,
|
None,
|
||||||
|
None,
|
||||||
),
|
),
|
||||||
deno_webstorage::init(None),
|
deno_webstorage::init(None),
|
||||||
deno_crypto::init(None),
|
deno_crypto::init(None),
|
||||||
|
@ -62,7 +64,10 @@ fn create_runtime_snapshot(snapshot_path: &Path, files: Vec<PathBuf>) {
|
||||||
false, // No --unstable.
|
false, // No --unstable.
|
||||||
),
|
),
|
||||||
deno_ffi::init::<deno_ffi::NoFfiPermissions>(false),
|
deno_ffi::init::<deno_ffi::NoFfiPermissions>(false),
|
||||||
deno_net::init::<deno_net::NoNetPermissions>(None, false), // No --unstable.
|
deno_net::init::<deno_net::NoNetPermissions>(
|
||||||
|
None, false, // No --unstable.
|
||||||
|
None,
|
||||||
|
),
|
||||||
deno_http::init(),
|
deno_http::init(),
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -27,6 +27,7 @@ async fn main() -> Result<(), AnyError> {
|
||||||
args: vec![],
|
args: vec![],
|
||||||
debug_flag: false,
|
debug_flag: false,
|
||||||
unstable: false,
|
unstable: false,
|
||||||
|
unsafely_treat_insecure_origin_as_secure: None,
|
||||||
root_cert_store: None,
|
root_cert_store: None,
|
||||||
user_agent: "hello_runtime".to_string(),
|
user_agent: "hello_runtime".to_string(),
|
||||||
seed: None,
|
seed: None,
|
||||||
|
|
|
@ -253,6 +253,7 @@ pub struct WebWorkerOptions {
|
||||||
pub args: Vec<String>,
|
pub args: Vec<String>,
|
||||||
pub debug_flag: bool,
|
pub debug_flag: bool,
|
||||||
pub unstable: bool,
|
pub unstable: bool,
|
||||||
|
pub unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>,
|
||||||
pub root_cert_store: Option<RootCertStore>,
|
pub root_cert_store: Option<RootCertStore>,
|
||||||
pub user_agent: String,
|
pub user_agent: String,
|
||||||
pub seed: Option<u64>,
|
pub seed: Option<u64>,
|
||||||
|
@ -304,10 +305,12 @@ impl WebWorker {
|
||||||
options.root_cert_store.clone(),
|
options.root_cert_store.clone(),
|
||||||
None,
|
None,
|
||||||
None,
|
None,
|
||||||
|
options.unsafely_treat_insecure_origin_as_secure.clone(),
|
||||||
),
|
),
|
||||||
deno_websocket::init::<Permissions>(
|
deno_websocket::init::<Permissions>(
|
||||||
options.user_agent.clone(),
|
options.user_agent.clone(),
|
||||||
options.root_cert_store.clone(),
|
options.root_cert_store.clone(),
|
||||||
|
options.unsafely_treat_insecure_origin_as_secure.clone(),
|
||||||
),
|
),
|
||||||
deno_broadcast_channel::init(
|
deno_broadcast_channel::init(
|
||||||
options.broadcast_channel.clone(),
|
options.broadcast_channel.clone(),
|
||||||
|
@ -341,6 +344,7 @@ impl WebWorker {
|
||||||
deno_net::init::<Permissions>(
|
deno_net::init::<Permissions>(
|
||||||
options.root_cert_store.clone(),
|
options.root_cert_store.clone(),
|
||||||
options.unstable,
|
options.unstable,
|
||||||
|
options.unsafely_treat_insecure_origin_as_secure.clone(),
|
||||||
),
|
),
|
||||||
ops::os::init(),
|
ops::os::init(),
|
||||||
ops::permissions::init(),
|
ops::permissions::init(),
|
||||||
|
|
|
@ -50,6 +50,7 @@ pub struct WorkerOptions {
|
||||||
pub args: Vec<String>,
|
pub args: Vec<String>,
|
||||||
pub debug_flag: bool,
|
pub debug_flag: bool,
|
||||||
pub unstable: bool,
|
pub unstable: bool,
|
||||||
|
pub unsafely_treat_insecure_origin_as_secure: Option<Vec<String>>,
|
||||||
pub root_cert_store: Option<RootCertStore>,
|
pub root_cert_store: Option<RootCertStore>,
|
||||||
pub user_agent: String,
|
pub user_agent: String,
|
||||||
pub seed: Option<u64>,
|
pub seed: Option<u64>,
|
||||||
|
@ -103,10 +104,12 @@ impl MainWorker {
|
||||||
options.root_cert_store.clone(),
|
options.root_cert_store.clone(),
|
||||||
None,
|
None,
|
||||||
None,
|
None,
|
||||||
|
options.unsafely_treat_insecure_origin_as_secure.clone(),
|
||||||
),
|
),
|
||||||
deno_websocket::init::<Permissions>(
|
deno_websocket::init::<Permissions>(
|
||||||
options.user_agent.clone(),
|
options.user_agent.clone(),
|
||||||
options.root_cert_store.clone(),
|
options.root_cert_store.clone(),
|
||||||
|
options.unsafely_treat_insecure_origin_as_secure.clone(),
|
||||||
),
|
),
|
||||||
deno_webstorage::init(options.origin_storage_dir.clone()),
|
deno_webstorage::init(options.origin_storage_dir.clone()),
|
||||||
deno_crypto::init(options.seed),
|
deno_crypto::init(options.seed),
|
||||||
|
@ -131,6 +134,7 @@ impl MainWorker {
|
||||||
deno_net::init::<Permissions>(
|
deno_net::init::<Permissions>(
|
||||||
options.root_cert_store.clone(),
|
options.root_cert_store.clone(),
|
||||||
options.unstable,
|
options.unstable,
|
||||||
|
options.unsafely_treat_insecure_origin_as_secure.clone(),
|
||||||
),
|
),
|
||||||
ops::os::init(),
|
ops::os::init(),
|
||||||
ops::permissions::init(),
|
ops::permissions::init(),
|
||||||
|
@ -300,6 +304,7 @@ mod tests {
|
||||||
args: vec![],
|
args: vec![],
|
||||||
debug_flag: false,
|
debug_flag: false,
|
||||||
unstable: false,
|
unstable: false,
|
||||||
|
unsafely_treat_insecure_origin_as_secure: None,
|
||||||
root_cert_store: None,
|
root_cert_store: None,
|
||||||
seed: None,
|
seed: None,
|
||||||
js_error_create_fn: None,
|
js_error_create_fn: None,
|
||||||
|
|
Loading…
Reference in a new issue