policy: manifest with subresource integrity checks

This enables code loaded via the module system to be checked for
integrity to ensure the code loaded matches expectations.

PR-URL: https://github.com/nodejs/node/pull/23834
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>

1 files changed, 33 insertions, 0 deletions

diff --git a/lib/internal/process/policy.js b/lib/internal/process/policy.js
new file mode 100644
index 0000000000..f5ca4eeb07
--- /dev/null
+++ b/lib/internal/process/policy.js
@@ -0,0 +1,33 @@
+'use strict';
+
+const {
+  ERR_MANIFEST_TDZ,
+} = require('internal/errors').codes;
+const { Manifest } = require('internal/policy/manifest');
+let manifest;
+module.exports = Object.freeze({
+  __proto__: null,
+  setup(src, url) {
+    if (src === null) {
+      manifest = null;
+      return;
+    }
+    const json = JSON.parse(src, (_, o) => {
+      if (o && typeof o === 'object') {
+        Reflect.setPrototypeOf(o, null);
+        Object.freeze(o);
+      }
+      return o;
+    });
+    manifest = new Manifest(json, url);
+  },
+  get manifest() {
+    if (typeof manifest === 'undefined') {
+      throw new ERR_MANIFEST_TDZ();
+    }
+    return manifest;
+  },
+  assertIntegrity(moduleURL, content) {
+    this.manifest.matchesIntegrity(moduleURL, content);
+  }
+});