Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security notes to the URL imports documentation. #30708

Merged
merged 2 commits into from Nov 1, 2021
Merged

Add security notes to the URL imports documentation. #30708

merged 2 commits into from Nov 1, 2021

Conversation

leerob
Copy link
Member

@leerob leerob commented Oct 31, 2021

No description provided.

timneutkens
timneutkens reviewed Nov 1, 2021
View reviewed changes
docs/api-reference/next.config.js/url-imports.md
@@ -27,6 +27,10 @@ import { a, b, c } from 'https://example.com/modules/some/module.js'

URL Imports can be used everywhere normal package imports can be used.

## Security Model

This feature is being designed with **security as the top priority**. To start, we added an experimental flag forcing you to explicitly allow the domains you accept URL imports from. We're working to take this further by limiting URL imports to execute in the browser sandbox using the [Edge Runtime](/docs/api-reference/edge-runtime.md). This runtime is used by [Middleware](/docs/middleware.md) as well as [Next.js Live](https://vercel.com/live).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks fine, I think it should also explain how files are downloaded and locked during development and not downloaded at runtime. Can be done in a follow-up PR.

@timneutkens timneutkens merged commit 175dd0f into canary Nov 1, 2021
@timneutkens timneutkens deleted the leerob-patch-2 branch November 1, 2021 06:35
timneutkens pushed a commit to timneutkens/next.js that referenced this pull request Nov 2, 2021
@leerob @timneutkens
Add security notes to the URL imports documentation. (vercel#30708)
db7f1b2
@vercel vercel locked as resolved and limited conversation to collaborators Jan 27, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@styfle styfle styfle left review comments

@timneutkens timneutkens timneutkens approved these changes

@huozhi huozhi Awaiting requested review from huozhi

@ijjk ijjk Awaiting requested review from ijjk

@lfades lfades Awaiting requested review from lfades

@molebox molebox Awaiting requested review from molebox

@padmaia padmaia Awaiting requested review from padmaia

@shuding shuding Awaiting requested review from shuding

Assignees
No one assigned
Labels
created-by: Next.js team PRs by the Next.js team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@leerob @styfle @timneutkens @ijjk