node
node copied to clipboard
nodejs
doc: clarify the scope of `--disallow-code-generation-from-strings`
Node.js does not support CSP. This flag was originally exposed as a V8 flag, and documented in Node.js, only supporting guarding the listed APIs.
https://github.com/nodejs/node/pull/28614 did nothing wrong as the flag was never meant to interfere module system, including require and import. Module APIs like module loaders (specifically the load hook, as it loads modules as source strings), require.extensions and CJS module._compile are all compiling module codes as string in JavaScript and I don't see it is possible to disable the whole module system for this flag.
I think we should make it clear that it is a V8 flag and can change or be removed at any time. Node.js does not provide stability guarantee of this and it should not be used for security purposes. It only provides whatever V8 provides - it's okay to document what they are now the last time people checked, but we should also note that the documentation on the Node.js side may not be up to date.
If people are interested in a flag that does more than what the V8 flag does, IMO it's better to just implement a different flag that may or may not imply the V8 flag, depending on whether it's necessary/helpful.
There's no need to list things it doesn't affect so long as there is a definitive list of what it does affect.
To that end, being clear about the exact language features being disallowed is important, words such as "like" in the text should be removed and an exhaustive list of disallowed features needs to be present with no room for misinterpretation.
Expanding the scope of the flag to disallow more non-v8 covered features is possible in a follow up contribution.
