Just to clarify a nuance here:
IMO --allow-net=https://* server.js should not be equivalent to --allow-net=*/**:443 server.js:
The first one is scheme based (protocol-based), and should allow me to access everything using HTTPS, even if the server-side port is not 443 (i.e. https://somewhere.com:1234 should work).
The second one is port-based, and should allow me to access everything on port 443, even via non-HTTPS protocols such as HTTP, AMQP, MQTT etc. (i.e. amqp://somwhere:443 should work).

Yes you are right.

This especially! --allow-net=*.slack.com 🙏

Ran into this just now with the aws sdk.

Was wanting to limit to something like cloudformation.*.amazonaws.com, where the wildcard would match the region

Hi @ry this issue has been open for 2 years and we haven't heard any positive response about it, anything going on with this?

There is no movement on this front whatsoever. I will raise this topic on the next design meeting.

Okay, thanks for your concern.

While this is not a priority for the core team, we would be happy to accept a PR that implements wildcard matching for --allow-net flag.

Am I on base in thinking that the changes would be in this permissions.rs file, specifically UnaryPermission<NetDescriptor>'s 3 "check" methods (check, check_url, and check_all)?

I don't really know Rust (or how to read it...) but that's where I got to after some code tracing.

Eagerly waiting for this!

The domains allowed in my deno.json are : --allow-net=<few_others>,salesforce.com
I thought that allowing a top-level domain like salesforce.com should resolve all the subdomains
but yet during runtime when i try to do a fetch, it asks me this:

┏ ⚠️  Deno requests net access to "some-custom-domain-dev-ed.my.salesforce.com:443".
┠─ Requested by `fetch()` API.
┠─ To see a stack trace for this prompt, set the DENO_TRACE_PERMISSIONS environmental variable.
┠─ Learn more at: https://docs.deno.com/go/--allow-net
┠─ Run again with --allow-net to bypass this prompt.
┗ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all net permissions) > 

Not having it makes it almost impossible to connect to multi-region services. Like for example Discord has about thousand subdomains depending on location: gateway-us-east1-a.discord.gg, gateway-us-east1-b.discord.gg, gateway-us-east1-c.discord.gg, finland10057.discord.gg, finland10063.discord.gg, bucharest1832.discord.gg etc

Similar stuff with several other more enterprisey software, like GCP, AWS etc. It's hard to pinpoint down all the subdomains

Easy route is to do just --allow-net and give access to everything, but this also gives access to internal.gov, malicious.site etc making whole net security layer useless