Permission Inheritance (`--allow-worker` inherits parent permissions)

[mcollina]

What is the problem this feature will solve?

Today, --allow-worker is an all-or-nothing escape hatch. The docs state this explicitly as a constraint: "The model does not inherit to a worker thread." This means any code running inside a worker can access the filesystem, spawn child processes, and do anything else without restriction, regardless of what the main thread was allowed to do.

This defeats the purpose of the permission model for any application that uses workers, which is most CPU-intensive Node.js applications.

What is the feature you are proposing to solve the problem?

When the main thread creates a Worker, the worker inherits a snapshot of the parent thread's permission state at the time of creation. The worker starts with exactly the same permissions as its parent — no more, no less.

// Main thread: started with --permission --allow-fs-read=/app --allow-worker
const { Worker } = require('node:worker_threads');
 
const worker = new Worker('./task.js');
// task.js runs with fs.read granted for /app only
// task.js cannot spawn child processes (parent couldn't either)
// task.js cannot read /etc, /home, or anything outside /app

This might be a breaking change. We could then add a --allow-inherit-worker to achieve the same.

What alternatives have you considered?

No response

[mcollina]

cc @nodejs/security-wg

[RafaelGSS]

FWIW We already do it for child_process #58853. But, this can be overridden by the user If I'm not wrong.