From 2eeb44f3facb58dacbcb2f270d4f169a2c81ee08 Mon Sep 17 00:00:00 2001
From: Bradley Farias <bradley.meck@gmail.com>
Date: Wed, 5 Jun 2019 13:33:07 -0500
Subject: policy: add policy-integrity to mitigate policy tampering

PR-URL: https://github.com/nodejs/node/pull/28734
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
---
 doc/api/cli.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'doc/api/cli.md')

diff --git a/doc/api/cli.md b/doc/api/cli.md
index d63749819e..5e60b509e3 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -457,6 +457,17 @@ unless either the `--pending-deprecation` command line flag, or the
 are used to provide a kind of selective "early warning" mechanism that
 developers may leverage to detect deprecated API usage.
 
+### `--policy-integrity=sri`
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1 - Experimental
+
+Instructs Node.js to error prior to running any code if the policy does not have
+the specified integrity. It expects a [Subresource Integrity][] string as a
+parameter.
+
 ### `--preserve-symlinks`
 <!-- YAML
 added: v6.3.0
@@ -992,6 +1003,7 @@ Node.js options that are allowed are:
 - `--no-warnings`
 - `--openssl-config`
 - `--pending-deprecation`
+- `--policy-integrity`
 - `--preserve-symlinks-main`
 - `--preserve-symlinks`
 - `--prof-process`
@@ -1196,6 +1208,7 @@ greater than `4` (its current default value). For more information, see the
 [Chrome DevTools Protocol]: https://chromedevtools.github.io/devtools-protocol/
 [REPL]: repl.html
 [ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage
+[Subresource Integrity]: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
 [V8 JavaScript code coverage]: https://v8project.blogspot.com/2017/12/javascript-code-coverage.html
 [customizing esm specifier resolution]: esm.html#esm_customizing_esm_specifier_resolution_algorithm
 [debugger]: debugger.html
-- 
cgit v1.2.3