Skip to content

doc: clarify the scope of --disallow-code-generation-from-strings #58328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

doc: clarify the scope of --disallow-code-generation-from-strings #58328

wants to merge 1 commit into from

Conversation

legendecas
Copy link
Member

Fixes: #58221

@nodejs-github-bot nodejs-github-bot added cli Issues and PRs related to the Node.js command line interface. doc Issues and PRs related to the documentations. labels May 14, 2025
ChALkeR
ChALkeR suggested changes May 14, 2025
View reviewed changes
Copy link
Member

@ChALkeR ChALkeR left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No.

Documenting the incomplete behavior and setting it in stone would be more problematic, I think.

Instead, #28614 should have respected this flag

Not doing that that is hardly helpful and makes this flag close to useless.
While doing that will very unlikely break anything.

Also the path of least surprise in the behavior is blocking data imports on that flag, like browsers do with CSP.

See also explanation in #58221

@legendecas
Copy link
Member Author

legendecas commented May 14, 2025
edited
Loading

Node.js does not support CSP. This flag was originally exposed as a V8 flag, and documented in Node.js, only supporting guarding the listed APIs.

#28614 did nothing wrong as the flag was never meant to interfere module system, including require and import. Module APIs like module loaders (specifically the load hook, as it loads modules as source strings), require.extensions and CJS module._compile are all compiling module codes as string in JavaScript and I don't see it is possible to disable the whole module system for this flag.

@ChALkeR
Copy link
Member

ChALkeR commented May 14, 2025

cc @nodejs/tsc pls discuss this

aduh95
aduh95 requested changes May 15, 2025
View reviewed changes
Copy link
Contributor

@aduh95 aduh95 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding a request for change so this doesn't land without @ChALkeR's objection getting dismissed by either Nikita or a TSC vote.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChALkeR ChALkeR ChALkeR requested changes

@aduh95 aduh95 aduh95 requested changes

@anonrig anonrig anonrig approved these changes

@marco-ippolito marco-ippolito marco-ippolito approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
cli Issues and PRs related to the Node.js command line interface. doc Issues and PRs related to the documentations.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

--disallow-code-generation-from-strings does not work as documented
6 participants
@legendecas @ChALkeR @anonrig @aduh95 @marco-ippolito @nodejs-github-bot