From c0069e60331b91afe37945dcde09dfbbcba93fa7 Mon Sep 17 00:00:00 2001 From: Christian Svensson Date: Thu, 11 Sep 2025 20:55:17 +0200 Subject: [PATCH 1/3] feat: add docs and example with hostname wildcard usage --- runtime/fundamentals/security.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/runtime/fundamentals/security.md b/runtime/fundamentals/security.md index ed6beacf1..6b5aceb54 100644 --- a/runtime/fundamentals/security.md +++ b/runtime/fundamentals/security.md @@ -219,6 +219,9 @@ Network access is granted using the `--allow-net` flag. This flag can be specified with a list of IP addresses or hostnames to allow access to specific network addresses. +Hostnames must does not allow subdomains, unless explicitly listed. To allow all +subdomains of a hostname, wildcard can be used. + Definition: `--allow-net[=...]` or `-N[=...]` ```sh @@ -230,6 +233,9 @@ deno run --allow-net script.ts # Allow network access to github.com and jsr.io deno run --allow-net=github.com,jsr.io script.ts +# Allow all subdomains for example.com +deno run --allow-net=*.example.com script.ts + # A hostname at port 80: deno run --allow-net=example.com:80 script.ts From 64e0900066122480e234ff9062d31c781ed57a30 Mon Sep 17 00:00:00 2001 From: Christian Svensson Date: Thu, 11 Sep 2025 20:58:25 +0200 Subject: [PATCH 2/3] fix: improve the text a bit --- runtime/fundamentals/security.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/runtime/fundamentals/security.md b/runtime/fundamentals/security.md index 6b5aceb54..4cdd666f1 100644 --- a/runtime/fundamentals/security.md +++ b/runtime/fundamentals/security.md @@ -219,8 +219,8 @@ Network access is granted using the `--allow-net` flag. This flag can be specified with a list of IP addresses or hostnames to allow access to specific network addresses. -Hostnames must does not allow subdomains, unless explicitly listed. To allow all -subdomains of a hostname, wildcard can be used. +Hostnames does not allow subdomains, unless explicitly listed. To allow any +subdomain for a hostname, `*` can be used as wildcard for any subdomain. Definition: `--allow-net[=...]` or `-N[=...]` @@ -234,7 +234,7 @@ deno run --allow-net script.ts deno run --allow-net=github.com,jsr.io script.ts # Allow all subdomains for example.com -deno run --allow-net=*.example.com script.ts +deno run --allow-net="*.example.com" script.ts # A hostname at port 80: deno run --allow-net=example.com:80 script.ts From 042cf719f1e9345fd1d7eda050fc538db1ae5dc3 Mon Sep 17 00:00:00 2001 From: Jo Franchetti Date: Tue, 16 Sep 2025 11:03:19 +0100 Subject: [PATCH 3/3] Fix typo in security.md regarding hostnames --- runtime/fundamentals/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/runtime/fundamentals/security.md b/runtime/fundamentals/security.md index 4cdd666f1..431eb2056 100644 --- a/runtime/fundamentals/security.md +++ b/runtime/fundamentals/security.md @@ -219,7 +219,7 @@ Network access is granted using the `--allow-net` flag. This flag can be specified with a list of IP addresses or hostnames to allow access to specific network addresses. -Hostnames does not allow subdomains, unless explicitly listed. To allow any +Hostnames do not allow subdomains, unless explicitly listed. To allow any subdomain for a hostname, `*` can be used as wildcard for any subdomain. Definition: `--allow-net[=...]` or `-N[=...]`