Content Security Policy unsafe-eval violation in runtime #3103
Description
Describe the bug
Our setup uses rsbuild & the rspack module-federation plugin. It seems a line in the module federation runtime violates the unsafe-eval content security policy, and then swallows the exception. This results in spamming our tracking with millions of CSP violation reports, making it impossible to identify real malicious attempts. This issue is similar to #3053 and #2759, but on a different file/line.
The following code is causing this issue:
core/packages/runtime/src/global.ts
Lines 29 to 35 in 3ac3fc8
We previously had a webpack setup which used similar code to the one below, and so it never ran new Function('return this')():
core/packages/webpack-bundler-runtime/src/container.ts
Lines 199 to 206 in 3ac3fc8
Would it be possible to revert to an approach like with the webpack runtime?
Reproduction
unneeded, see source.
Used Package Manager
pnpm
System Info
System:
OS: macOS 15.0.1
CPU: (12) arm64 Apple M3 Pro
Memory: 39.31 MB / 36.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 20.17.0 - ~/.nvm/versions/node/v20.17.0/bin/node
npm: 10.8.2 - ~/.nvm/versions/node/v20.17.0/bin/npm
pnpm: 9.12.2 - ~/Library/pnpm/pnpm
Browsers:
Chrome: 129.0.6668.103
Edge: 130.0.2849.46
Safari: 18.0.1Validations
- Read the docs.
- Read the common issues list.
- Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
- Make sure this is a Module federation issue and not a framework-specific issue.
- The provided reproduction is a minimal reproducible example of the bug.