Add support for "--disallow-code-generation-from-strings" flag to workers

[capricorn86]

What is the problem this feature will solve?

I'm the creator and main maintainer of happy-dom. We recommend users to use the flags --disallow-code-generation-from-strings and --frozen-intrinsics when Javascript evaluation is enabled in happy-dom to make it harder for a potential attacker to escape a VM context and execute code at process level.

One of the packages uses Workers and it would be great if these flags could be sent in to "execArgv" when creating the Worker. It seems like --frozen-intrinsics is already supported.

What is the feature you are proposing to solve the problem?

Add support for --disallow-code-generation-from-strings to "execArgv" in Worker.

Example:

const worker = new Worker(new URL('ServerRendererWorker.js', import.meta.url), {
   execArgv: ['--disallow-code-generation-from-strings']
});

What alternatives have you considered?

No response

[juanarbol]

I'll take a look, thanks! This is a very interesting feature request

[juanarbol]

Based on docs

V8 options (such as --max-old-space-size) and options that affect the process (such as --title) are not supported. If set, this is provided as process.execArgv inside the worker. By default, options are inherited from the parent thread.

I'll ping @nodejs/workers, can I ask why aren't v8 options supported for a worker thread? Is there a feasible way to support them? Or at least a handful of them? This --disallow-code-generation-from-strings seems a quite interesting security feature -as OP mentioned-.

Refs: https://nodejs.org/docs/latest/api/worker_threads.html#new-workerfilename-options