For the following example, has been granted read-only access to the file system. It cannot write to it, or perform any other security-sensitive functions.

The following permissions are available:

• --allow-env Allow environment access for things like getting and setting of environment variables.
• --allow-hrtime Allow high-resolution time measurement. High-resolution time can be used in timing attacks and fingerprinting.
• --allow-net=<allow-net> Allow network access. You can specify an optional, comma-separated list of domains to provide an allow-list of allowed domains.
• --allow-plugin Allow loading plugins. Please note that —allow-plugin is an unstable feature.
• --allow-run Allow running subprocesses. Be aware that subprocesses are not run in a sandbox and therefore do not have the same security restrictions as the deno process. Therefore, use with caution.
• --allow-write=<allow-write> Allow file system write access. You can specify an optional, comma-separated list of directories or files to provide a allow-list of allowed file system access.

Deno also allows you to control the granularity of some permissions with allow-lists.

Try it out again with the correct permissions by allow-listing /etc instead:

--allow-write works the same as .

fetch.ts:

const result = await fetch("https://deno.land/");

If fetch.ts tries to establish network connections to any other domain, the process will fail.

Allow net calls to any host/url:

Ryan Dahl. (September 25, 2020). . Speakeasy JS.