6.8 Protected Exports

Sometimes, a module needs to export bindings to other modules that are at the same trust level as the exporting module, while at the same time preventing access from untrusted modules. Such exports should use the protect-out form in provide. For example, ffi/unsafe exports all of its unsafe bindings as protected in this sense.

Levels of trust are implemented with code inspectors (see Code Inspectors for Trusted and Untrusted Code). Only modules loaded with an equally strong code inspector as an exporting module can use protected bindings from the exporting module. Operations like dynamic-require are granted access depending on the current code inspector as determined by current-code-inspector.

When a module re-exports a protected binding, it does not need to use protect-out again. Access is always determined by the code inspector of the module that originally defines a protected binding. When using a protected binding within a module, take care to either provide new bindings from the module with protect-out or ensure that no provided bindings expose functionality that was meant to be protected in the first place.