|
|
|
|
|
|
by ecares
2228 days ago
|
|
|
Let me tell it another way: browsers have been benefiting from decades of innovation to mitigate the security issues of execution of JavaScript. CORS headers is the latest of theses innovations. Deno allow you to fetch code as a browser would without providing you with any of the safety browsers can have. Mostly because it would not make sense to have a runtime doing that. Deno is not a browser but takes the risks of a browser. Running Deno install is as safe as browsing the internet using Windows CP without SP 2 and Internet explorer bellow 6. Also, importing a module in https does not mean this module won't import anything using http. Should you review the code of all imported modules? This is virtually impossible. Deno must disable http by defaulkt and provide a flag to re-enable it. This is factually a security issue in Deno. |
|
|
I wouldn't be surprised if this was exactly the direction that Deno was trying to move towards. Fewer direct dependencies with some amount of transitive trust.
I.e. "[Deno] has a set of reviewed (audited) standard modules"
> Windows CP without SP 2 and Internet explorer bellow 6
I get the point you're trying to make with this hyperbole but browsers still let you view http pages (by default).
> Deno must disable http by defaulkt and provide a flag to re-enable it. This is factually a security issue in Deno.
Again I agree with your idea about disabling by default but there is another perspective (and I think Ryan deserves some empathy).