Module Federation not working with Content Security Policy (CSP) #3053
Description
Describe the bug
If you have a strict CSP then the remotes for won't load in module federation
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' [...trimmed urls...]
Adding unsafe-eval defeats the purpose of having a CSP, as it opens a security hole - can you advise how you to round this when using the module federation plugin 2.0?
Note: there is a similar issue, but in the other issue, the root cause was webpack related. I am not using webpack, I am using vite with module-federation/vite which uses core. Core does have eval going on which is triggering CSP
core/packages/runtime/src/utils/load.ts
Lines 20 to 34 in 57d70c4
core/packages/runtime/src/utils/load.ts
Lines 44 to 57 in 57d70c4
Is there anything that can be done about this or should I attempt to convince my company's security team to allow unsafe-eval (they will take one look at the name "unsafe" and give the standard response "NO")
Reproduction
unneeded, see source.
Used Package Manager
pnpm
System Info
System:
OS: macOS 14.6.1
CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Memory: 98.71 MB / 32.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 18.15.0 - ~/.nvm/versions/node/v18.15.0/bin/node
Yarn: 1.22.22 - /usr/local/bin/yarn
npm: 9.5.0 - ~/.nvm/versions/node/v18.15.0/bin/npm
pnpm: 8.1.0 - ~/Library/pnpm/pnpm
Watchman: 2024.05.06.00 - /usr/local/bin/watchman
Browsers:
Chrome: 129.0.6668.90
Safari: 17.6Validations
- Read the docs.
- Read the common issues list.
- Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
- Make sure this is a Module federation issue and not a framework-specific issue.
- The provided reproduction is a minimal reproducible example of the bug.