Security Policy Tracking Issue

[bmeck]

Proposal

Current work is available at:
https://github.com/bmeck/node/tree/policy

Some docs for the current work:
https://github.com/bmeck/node/blob/policy/doc/api/policy.md

Slides explaining some modeling:
https://docs.google.com/presentation/d/153ME48cGiIo7RZpORjbbtogMbA4TeBZXv2EnEeKdZGg/edit#slide=id.g566f4eb51a_2_64

Status:

• code signing (punted to further milestone)

---

• SubResource Integrity
  • inclusion in policy manifest format
    • self check
    • dependency check
  • check on loading code
    • basic require() integration
    • loader integration
    • able to be moved off process (punted, needs help)

---

• freezing primordials (needs help)
  • polyfill loading mechanism (punted, needs help)
    • inclusion in cli
    • privilege requirements in policy manifest format
  • JS globals frozen (adopt from proposal)
  • Node.js core frozen

---

• constraining APIs (requires freezing primordials, needs help)
  • membranes around dependencies
  • userland defined constraints (punted)

---

• removal of Features - See process: initial impl of feature access control  node#22112

---

• tooling Integrations (punted, needs help)
  • generate/edit manifest when installing packages
  • verify integrities without loading node
  • mode to prompt on failed checks (requires escalated privileges)
    • integrity prompt
    • privilege prompt

It would be nice to have some meetings on how to coordinate work so that multiple different things can be worked on at the same time. Also, probably nice to make a fork within the foundation or under this working group.

[github-actions]

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.