Nextjs plugin doesn't work unless the "unsafe-eval" CSP header is set

[fcano-ut]

Describe the bug

The Nextjs plugin doesn't work if the "unsafe-eval" CSP header is not defined, which means the host apps are forced to use unsecure CSP settings or else they won't load.

Due to similar issues being raised in the past and fixed, I believe there is intention to support secure CSP headers in this project.

Some research

When running the app, this is the line that makes the script fail due to "unsafe-eval" not being present:

Seems to be related to this line executing:

core/packages/nextjs-mf/src/plugins/container/runtimePlugin.ts

Line 72 in e38e48d

const gs = new Function('return globalThis')();

Reproduction

fcano-ut/module-federation-reproduction-example-2497#1

Used Package Manager

pnpm

System Info

System:
    OS: macOS 14.5
    CPU: (16) arm64 Apple M3 Max
    Memory: 6.81 GB / 64.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.13.1 - ~/.nodenv/versions/20.13.1/bin/node
    Yarn: 1.22.22 - ~/.nodenv/versions/20.13.1/bin/yarn
    npm: 10.5.2 - ~/.nodenv/versions/20.13.1/bin/npm
  Browsers:
    Chrome: 126.0.6478.127
    Firefox: 128.0
    Safari: 17.5

Validations

• Read the docs.
• Read the common issues list.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Make sure this is a Module federation issue and not a framework-specific issue.
• The provided reproduction is a minimal reproducible example of the bug.

[github-actions]

Stale issue message

[fcano-ut]

If anyone is interested in a workaround, we were able to bypass this issue by using patch-package to update code in runtimePlugin.js

From this:

const gs = new Function('return globalThis')(); 

to this:

let gs;

try{
  gs = new Function('return globalThis')();
} catch(e) {
  gs = window;
}

[ScriptedAlchemy]

Send a pr

[fcano-ut]

Opened a PR here: #3067