foster/denoland-deno
0
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-10-31 09:14:20 -04:00
Code Issues Wiki Activity
denoland-deno/docs/runtime/workers.md
Bartek Iwańczuk 32aeec9630
refactor: check permissions in SourceFileFetcher (#5011) 
This PR hot-fixes permission escapes in dynamic imports, workers
and runtime compiler APIs.

"permissions" parameter was added to public APIs of SourceFileFetcher
and appropriate permission checks are performed during loading of
local and remote files.
2020-05-11 13:13:27 +02:00

2.3 KiB
Raw Blame History

Workers

Deno supports Web Worker API.

Workers can be used to run code on multiple threads. Each instance of Worker is run on a separate thread, dedicated only to that worker.

Currently Deno supports only module type workers; thus it's essential to pass type: "module" option when creating new worker:

// Good
new Worker("./worker.js", { type: "module" });

// Bad
new Worker("./worker.js");
new Worker("./worker.js", { type: "classic" });

Permissions

Creating a new Worker instance is similar to a dynamic import; therefore Deno requires appropriate permission for this action.

For workers using local modules; --allow-read permission is required:

// main.ts
new Worker("./worker.ts", { type: "module" });

// worker.ts
console.log("hello world");
self.close();

$ deno run main.ts
error: Uncaught PermissionDenied: read access to "./worker.ts", run again with the --allow-read flag

$ deno run --allow-read main.ts
hello world

For workers using remote modules; --allow-read permission is required:

// main.ts
new Worker("https://example.com/worker.ts", { type: "module" });

// worker.ts
console.log("hello world");
self.close();

$ deno run main.ts
error: Uncaught PermissionDenied: net access to "https://example.com/worker.ts", run again with the --allow-net flag

$ deno run --allow-net main.ts
hello world

Using Deno in worker

This is an unstable Deno feature. Learn more about unstable features.

By default Deno namespace is not available in worker scope.

To add Deno namespace pass deno: true option when creating new worker:

// main.js
const worker = new Worker("./worker.js", { type: "module", deno: true });
worker.postMessage({ filename: "./log.txt" });

// worker.js
self.onmessage = async (e) => {
  const { filename } = e.data;
  const text = await Deno.readTextFile(filename);
  console.log(text);
  self.close();
};

// log.txt
hello world

$ deno run --allow-read --unstable main.js
hello world

When Deno namespace is available in worker scope; the worker inherits parent process permissions (the ones specified using --allow-* flags).

We intend to make permissions configurable for workers.