With deno you need to manually specify if you want to permit internet access:
deno run --allow-net=xyz.com,abc.com
If you run without a domain, it allows access to all. Seems like it should be more explicit by default, perhaps there is a config option.
Speaking of config options, I wonder if there is a config option to prohibit access to domains like pastebin.org no matter what. Seems like an arms race that an attacker could circumvent, but maybe they won't bother and will only attack my dumber friends.
WebAssembly was designed to follow the same capability security principles. CHERI too as someone else just brought up.
Yet another newer capability system in progress -- I don't know what it can do today or if it tackles this particular problem but it sounds cool: https://spritelyproject.org/
WASM is great in that you can sandbox code and give it limited permissions to run. Actually I do hope wasm becomes more widespread as a base for app development, however, when importing library code into your own native code base, it's going to run with the same perms as that code base. Sandboxing a library would have the effect of making it probably slower and more annoying to interact with.
This isn't a language, but CHERI has hardware-enforced capabilities, so if your library was never given a pointer that (even transitively) has access to some secret, it's completely SOL as it's impossible to access any memory without the corresponding capability.
Don't programs runnign in iOS and perhaps Android (and macOS) have to put up modal dialogs requesting the person running the program for access to things it could screw up?
That's not nothing, but it's not a usable and flexible enough solution -- people end up giving far too coarse-grained authority because that's seemingly the only way that's easy.
