diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/api/cli.md | 13 | ||||
| -rw-r--r-- | doc/api/policy.md | 9 | ||||
| -rw-r--r-- | doc/node.1 | 3 |
3 files changed, 25 insertions, 0 deletions
diff --git a/doc/api/cli.md b/doc/api/cli.md index d63749819e..5e60b509e3 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -457,6 +457,17 @@ unless either the `--pending-deprecation` command line flag, or the are used to provide a kind of selective "early warning" mechanism that developers may leverage to detect deprecated API usage. +### `--policy-integrity=sri` +<!-- YAML +added: REPLACEME +--> + +> Stability: 1 - Experimental + +Instructs Node.js to error prior to running any code if the policy does not have +the specified integrity. It expects a [Subresource Integrity][] string as a +parameter. + ### `--preserve-symlinks` <!-- YAML added: v6.3.0 @@ -992,6 +1003,7 @@ Node.js options that are allowed are: - `--no-warnings` - `--openssl-config` - `--pending-deprecation` +- `--policy-integrity` - `--preserve-symlinks-main` - `--preserve-symlinks` - `--prof-process` @@ -1196,6 +1208,7 @@ greater than `4` (its current default value). For more information, see the [Chrome DevTools Protocol]: https://chromedevtools.github.io/devtools-protocol/ [REPL]: repl.html [ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage +[Subresource Integrity]: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity [V8 JavaScript code coverage]: https://v8project.blogspot.com/2017/12/javascript-code-coverage.html [customizing esm specifier resolution]: esm.html#esm_customizing_esm_specifier_resolution_algorithm [debugger]: debugger.html diff --git a/doc/api/policy.md b/doc/api/policy.md index be7ea3480b..a1955f2b3e 100644 --- a/doc/api/policy.md +++ b/doc/api/policy.md @@ -38,6 +38,15 @@ node --experimental-policy=policy.json app.js The policy manifest will be used to enforce constraints on code loaded by Node.js. +In order to mitigate tampering with policy files on disk, an integrity for +the policy file itself may be provided via `--policy-integrity`. +This allows running `node` and asserting the policy file contents +even if the file is changed on disk. + +```sh +node --experimental-policy=policy.json --policy-integrity="sha384-SggXRQHwCG8g+DktYYzxkXRIkTiEYWBHqev0xnpCxYlqMBufKZHAHQM3/boDaI/0" app.js +``` + ## Features ### Error Behavior diff --git a/doc/node.1 b/doc/node.1 index 14266a3f57..0c8de4b75f 100644 --- a/doc/node.1 +++ b/doc/node.1 @@ -231,6 +231,9 @@ Among other uses, this can be used to enable FIPS-compliant crypto if Node.js is .It Fl -pending-deprecation Emit pending deprecation warnings. . +.It Fl -policy-integrity Ns = Ns Ar sri +Instructs Node.js to error prior to running any code if the policy does not have the specified integrity. It expects a Subresource Integrity string as a parameter. +. .It Fl -preserve-symlinks Instructs the module loader to preserve symbolic links when resolving and caching modules other than the main module. . |