Proposal: --allow-net-fetch (fetch-only net permissions)

[teleclimber]

I don't know how the net permissions will be improved in Deno 2.0 (or if they will?) but I would like to make this suggestion:

Add a permission that allows net access via fetch only.

Why?

First, it would cover a large majority of use cases, where code just needs to make HTTP requests. Unlike --allow-net it doesn't allow a server to listen (see #16532) and you can't use it to start TELNET session to probe for network services.

Second, when used in combination with `HTTP[S]_PROXY, it would guarantee that all net requests go through the proxy. This is useful if you want to allow net requests, but you need to monitor them and provide additional filtering.

Currently, you can use HTTP_PROXY to filter or monitor fetches, but nothing prevents malicious code from bypassing the proxy using Deno.connect. With --allow-net-fetch, net activity initiated with Deno.connect gets blocked (unless allowed using --allow-net).

In other discussions, Deno team members have recommended that Deno be run with its own networking namespace to cover this requirement (#11925 (comment)). However this implies a Linux environment and rules out using this on local machines running Mac or Windows. With --allow-net-fetch you don't have to be on Linux (and you don't have to mess with namespaces, which can be prickly).

There are a number of reasons why systems may want to filter net requests beyond what Deno currently allows:

• filter on full URLs: Add URLs to --allow-net #5242
• SSRF naughtiness Deno should block access to local network unless explicitly permitted #21227
• Any number of other application-specific security issue.

It would be great if Deno could offer a simple cross-platform way to monitor/block fetches.

Thank-you for considering!

✌️

[lucacasonato]

We don't think this is a breaking change to add, so we are not going to do this for Deno 2. We do however se the usecase, and may do this in a later release.