政策

🌐 Policies

Node.js 包含了对创建加载代码的策略的实验性支持。

🌐 Node.js contains experimental support for creating policies on loading code.

策略是一种安全功能，用于确保加载代码的完整性。

🌐 Policies are a security feature intended to ensure the integrity of the loaded code.

虽然它不能作为追踪代码来源的来源机制，但它可以作为抵御恶意代码执行的强大防线。不同于可能在代码加载后限制功能的运行时模型，Node.js 策略侧重于阻止恶意代码在一开始就被完全加载到应用中。

🌐 While it does not function as a provenance mechanism to trace the origin of code, it serves as a robust defense against the execution of malicious code. Unlike runtime-based models that may restrict capabilities once the code is loaded, Node.js policies focus on preventing malicious code from ever being fully loaded into the application in the first place.

使用策略假设策略文件的安全操作，例如通过使用文件权限确保 Node.js 应用无法覆盖策略文件。

🌐 The use of policies assumes safe practices for the policy files such as ensuring that policy files cannot be overwritten by the Node.js application by using file permissions.

最佳做法是确保策略清单对正在运行的 Node.js 应用是只读的，并且运行中的 Node.js 应用无法以任何方式更改该文件。典型的设置是以不同于运行 Node.js 的用户 ID 创建策略文件，并授予运行 Node.js 的用户 ID 读取权限。

🌐 A best practice would be to ensure that the policy manifest is read-only for the running Node.js application and that the file cannot be changed by the running Node.js application in any way. A typical setup would be to create the policy file as a different user id than the one running Node.js and granting read permissions to the user id running Node.js.