lib: enable global WebCrypto by default

Enables `--experimental-global-webcrypto` by default, and ensures that
the classic `node:crypto` core module is still available in `--eval` or
`--print` contexts.

.eslintrc.js

@@ -317,6 +317,7 @@ module.exports = {
     'node-core/no-duplicate-requires': 'error',
   },
   globals: {
+    crypto: 'readable',
     Crypto: 'readable',
     CryptoKey: 'readable',
     fetch: 'readable',

doc/api/cli.md

@@ -280,14 +280,6 @@ effort to report stack traces relative to the original source file.
 Overriding `Error.prepareStackTrace` prevents `--enable-source-maps` from
 modifying the stack trace.
 
-### `--experimental-global-webcrypto`
-
-<!-- YAML
-added: v17.6.0
--->
-
-Expose the [Web Crypto API][] on the global scope.
-
 ### `--experimental-import-meta-resolve`
 
 <!-- YAML
@@ -333,6 +325,14 @@ added: REPLACEME
 
 Disable experimental support for the [Fetch API][].
 
+### `--no-experimental-global-webcrypto`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+Disable exposition of [Web Crypto API][] on the global scope.
+
 ### `--no-experimental-repl-await`
 
 <!-- YAML
@@ -1587,7 +1587,6 @@ Node.js options that are allowed are:
 * `--enable-fips`
 * `--enable-source-maps`
 * `--experimental-abortcontroller`
-* `--experimental-global-webcrypto`
 * `--experimental-import-meta-resolve`
 * `--experimental-json-modules`
 * `--experimental-loader`
@@ -1617,6 +1616,7 @@ Node.js options that are allowed are:
 * `--no-addons`
 * `--no-deprecation`
 * `--no-experimental-fetch`
+* `--no-experimental-global-webcrypto`
 * `--no-experimental-repl-await`
 * `--no-extra-info-on-fatal-exception`
 * `--no-force-async-hooks-checks`

doc/api/globals.md

@@ -311,10 +311,14 @@ Used to print to stdout and stderr. See the [`console`][] section.
 
 <!-- YAML
 added: v17.6.0
+changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/42083
+    description: No longer behind `--experimental-global-webcrypto` CLI flag.
 -->
 
-> Stability: 1 - Experimental. Enable this API with the
-> [`--experimental-global-webcrypto`][] CLI flag.
+> Stability: 1 - Experimental. Disable this API with the
+> [`--no-experimental-global-webcrypto`][] CLI flag.
 
 A browser-compatible implementation of {Crypto}. This global is available
 only if the Node.js binary was compiled with including support for the
@@ -324,21 +328,29 @@ only if the Node.js binary was compiled with including support for the
 
 <!-- YAML
 added: v17.6.0
+changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/42083
+    description: No longer behind `--experimental-global-webcrypto` CLI flag.
 -->
 
-> Stability: 1 - Experimental. Enable this API with the
-> [`--experimental-global-webcrypto`][] CLI flag.
+> Stability: 1 - Experimental. Disable this API with the
+> [`--no-experimental-global-webcrypto`][] CLI flag.
 
 A browser-compatible implementation of the [Web Crypto API][].
 
 ## `CryptoKey`
 
 <!-- YAML
 added: v17.6.0
+changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/42083
+    description: No longer behind `--experimental-global-webcrypto` CLI flag.
 -->
 
-> Stability: 1 - Experimental. Enable this API with the
-> [`--experimental-global-webcrypto`][] CLI flag.
+> Stability: 1 - Experimental. Disable this API with the
+> [`--no-experimental-global-webcrypto`][] CLI flag.
 
 A browser-compatible implementation of {CryptoKey}. This global is available
 only if the Node.js binary was compiled with including support for the
@@ -586,10 +598,14 @@ The WHATWG [`structuredClone`][] method.
 
 <!-- YAML
 added: v17.6.0
+changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/42083
+    description: No longer behind `--experimental-global-webcrypto` CLI flag.
 -->
 
-> Stability: 1 - Experimental. Enable this API with the
-> [`--experimental-global-webcrypto`][] CLI flag.
+> Stability: 1 - Experimental. Disable this API with the
+> [`--no-experimental-global-webcrypto`][] CLI flag.
 
 A browser-compatible implementation of {SubtleCrypto}. This global is available
 only if the Node.js binary was compiled with including support for the
@@ -660,8 +676,8 @@ The object that acts as the namespace for all W3C
 [Mozilla Developer Network][webassembly-mdn] for usage and compatibility.
 
 [Web Crypto API]: webcrypto.md
-[`--experimental-global-webcrypto`]: cli.md#--experimental-global-webcrypto
 [`--no-experimental-fetch`]: cli.md#--no-experimental-fetch
+[`--no-experimental-global-webcrypto`]: cli.md#--no-experimental-global-webcrypto
 [`AbortController`]: https://developer.mozilla.org/en-US/docs/Web/API/AbortController
 [`DOMException`]: https://developer.mozilla.org/en-US/docs/Web/API/DOMException
 [`EventTarget` and `Event` API]: events.md#eventtarget-and-event-api

doc/node.1

@@ -139,9 +139,6 @@ Requires Node.js to be built with
 .It Fl -enable-source-maps
 Enable Source Map V3 support for stack traces.
 .
-.It Fl -experimental-global-webcrypto
-Expose the Web Crypto API on the global scope.
-.
 .It Fl -experimental-import-meta-resolve
 Enable experimental ES modules support for import.meta.resolve().
 .
@@ -159,6 +156,9 @@ Use the specified file as a security policy.
 .It Fl -no-experimental-fetch
 Disable experimental support for the Fetch API.
 .
+.It Fl -no-experimental-global-webcrypto
+Disable exposition of the Web Crypto API on the global scope.
+.
 .It Fl -no-experimental-repl-await
 Disable top-level await keyword support in REPL.
 .

lib/internal/bootstrap/pre_execution.js

@@ -199,7 +199,7 @@ function setupFetch() {
 //               removed.
 function setupWebCrypto() {
   if (process.config.variables.node_no_browser_globals ||
-      !getOptionValue('--experimental-global-webcrypto')) {
+      getOptionValue('--no-experimental-global-webcrypto')) {
     return;
   }
 

lib/internal/main/eval_string.js

@@ -16,6 +16,8 @@ const { addBuiltinLibsToObject } = require('internal/modules/cjs/helpers');
 const { getOptionValue } = require('internal/options');
 
 prepareMainThreadExecution();
+// Delete Webcrypto from the global scope for backward compatibility.
+delete globalThis.crypto;
 addBuiltinLibsToObject(globalThis, '<eval>');
 markBootstrapComplete();
 

src/node_options.cc

@@ -323,7 +323,8 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
   AddOption("--experimental-global-webcrypto",
             "expose experimental Web Crypto API on the global scope",
             &EnvironmentOptions::experimental_global_web_crypto,
-            kAllowedInEnvironment);
+            kAllowedInEnvironment,
+            true);
   AddOption("--experimental-json-modules", "", NoOp{}, kAllowedInEnvironment);
   AddOption("--experimental-loader",
             "use the specified module as a custom loader",

src/node_options.h

@@ -108,7 +108,7 @@ class EnvironmentOptions : public Options {
   std::string dns_result_order;
   bool enable_source_maps = false;
   bool experimental_fetch = true;
-  bool experimental_global_web_crypto = false;
+  bool experimental_global_web_crypto = true;
   bool experimental_https_modules = false;
   std::string experimental_specifier_resolution;
   bool experimental_wasm_modules = false;

test/parallel/test-bootstrap-modules.js

@@ -16,6 +16,7 @@ const expectedModules = new Set([
   'Internal Binding constants',
   'Internal Binding contextify',
   'Internal Binding credentials',
+  'Internal Binding crypto',
   'Internal Binding errors',
   'Internal Binding fs_dir',
   'Internal Binding fs_event_wrap',
@@ -55,6 +56,12 @@ const expectedModules = new Set([
   'NativeModule internal/console/constructor',
   'NativeModule internal/console/global',
   'NativeModule internal/constants',
+  'NativeModule internal/crypto/hash',
+  'NativeModule internal/crypto/hashnames',
+  'NativeModule internal/crypto/keys',
+  'NativeModule internal/crypto/random',
+  'NativeModule internal/crypto/util',
+  'NativeModule internal/crypto/webcrypto',
   'NativeModule internal/dtrace',
   'NativeModule internal/encoding',
   'NativeModule internal/errors',
@@ -120,6 +127,7 @@ const expectedModules = new Set([
   'NativeModule internal/streams/duplex',
   'NativeModule internal/streams/end-of-stream',
   'NativeModule internal/streams/from',
+  'NativeModule internal/streams/lazy_transform',
   'NativeModule internal/streams/legacy',
   'NativeModule internal/streams/operators',
   'NativeModule internal/streams/passthrough',

test/parallel/test-cli-eval.js

@@ -288,3 +288,13 @@ child.exec(
   common.mustSucceed((stdout) => {
     assert.strictEqual(stdout, '.mjs file\n');
   }));
+
+if (common.hasCrypto) {
+  // Assert that calls to crypto utils work without require.
+  child.exec(
+    `${nodejs} ` +
+      '-e "console.log(crypto.randomBytes(16).toString(\'hex\'))"',
+    common.mustSucceed((stdout) => {
+      assert.match(stdout, /[0-9a-f]{32}/i);
+    }));
+}

test/parallel/test-global-webcrypto-classes.js

@@ -1,4 +1,4 @@
-// Flags: --experimental-global-webcrypto --expose-internals
+// Flags: --expose-internals
 'use strict';
 
 const common = require('../common');

test/parallel/test-global-webcrypto-disbled.js

@@ -0,0 +1,10 @@
+// Flags: --no-experimental-global-webcrypto
+'use strict';
+
+require('../common');
+const assert = require('assert');
+
+assert.strictEqual(typeof crypto, 'undefined');
+assert.strictEqual(typeof Crypto, 'undefined');
+assert.strictEqual(typeof CryptoKey, 'undefined');
+assert.strictEqual(typeof SubtleCrypto, 'undefined');

test/parallel/test-global.js

@@ -55,6 +55,7 @@ builtinModules.forEach((moduleName) => {
     'setTimeout',
     'structuredClone',
     'fetch',
+    'crypto',
   ];
   assert.deepStrictEqual(new Set(Object.keys(global)), new Set(expected));
 }