政策

¥Policies

Node.js 包含了对创建加载代码的策略的实验性支持。

¥Node.js contains experimental support for creating policies on loading code.

策略是一种安全功能，旨在确保加载代码的完整性。

¥Policies are a security feature intended to ensure the integrity of the loaded code.

虽然它不能作为追踪代码来源的来源机制，但它可以作为针对恶意代码执行的强大防御。与基于运行时的模型在加载代码后可能会限制功能不同，Node.js 策略的重点是首先防止恶意代码完全加载到应用中。

¥While it does not function as a provenance mechanism to trace the origin of code, it serves as a robust defense against the execution of malicious code. Unlike runtime-based models that may restrict capabilities once the code is loaded, Node.js policies focus on preventing malicious code from ever being fully loaded into the application in the first place.

策略的使用假定策略文件的安全实践，例如确保 Node.js 应用不能使用文件权限覆盖策略文件。

¥The use of policies assumes safe practices for the policy files such as ensuring that policy files cannot be overwritten by the Node.js application by using file permissions.

最佳实践是确保正在运行的 Node.js 应用的策略清单是只读的，并且正在运行的 Node.js 应用不能以任何方式更改该文件。一个典型的设置是将策略文件创建为与运行 Node.js 的用户 ID 不同的用户 ID，并向运行 Node.js 的用户 ID 授予读取权限。

¥A best practice would be to ensure that the policy manifest is read-only for the running Node.js application and that the file cannot be changed by the running Node.js application in any way. A typical setup would be to create the policy file as a different user id than the one running Node.js and granting read permissions to the user id running Node.js.