Describe the bug
Our setup uses rsbuild & the rspack module-federation plugin. It seems a line in the module federation runtime violates the unsafe-eval content security policy, and then swallows the exception. This results in spamming our tracking with millions of CSP violation reports, making it impossible to identify real malicious attempts. This issue is similar to #3053 and #2759, but on a different file/line.
The following code is causing this issue:
|
export const nativeGlobal: typeof global = (() => { |
|
try { |
|
return new Function('return this')(); |
|
} catch { |
|
return globalThis; |
|
} |
|
})() as typeof global; |
We previously had a webpack setup which used similar code to the one below, and so it never ran new Function('return this')():
|
__webpack_require__.g = (() => { |
|
if (typeof globalThis === 'object') return globalThis; |
|
try { |
|
return this || new Function('return this')(); |
|
} catch (e) { |
|
if (typeof window === 'object') return window; |
|
} |
|
})(); |
Would it be possible to revert to an approach like with the webpack runtime?
Reproduction
unneeded, see source.
Used Package Manager
pnpm
System Info
System:
OS: macOS 15.0.1
CPU: (12) arm64 Apple M3 Pro
Memory: 39.31 MB / 36.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 20.17.0 - ~/.nvm/versions/node/v20.17.0/bin/node
npm: 10.8.2 - ~/.nvm/versions/node/v20.17.0/bin/npm
pnpm: 9.12.2 - ~/Library/pnpm/pnpm
Browsers:
Chrome: 129.0.6668.103
Edge: 130.0.2849.46
Safari: 18.0.1Validations
Describe the bug
Our setup uses rsbuild & the rspack module-federation plugin. It seems a line in the module federation runtime violates the
unsafe-evalcontent security policy, and then swallows the exception. This results in spamming our tracking with millions of CSP violation reports, making it impossible to identify real malicious attempts. This issue is similar to #3053 and #2759, but on a different file/line.The following code is causing this issue:
core/packages/runtime/src/global.ts
Lines 29 to 35 in 3ac3fc8
We previously had a webpack setup which used similar code to the one below, and so it never ran
new Function('return this')():core/packages/webpack-bundler-runtime/src/container.ts
Lines 199 to 206 in 3ac3fc8
Would it be possible to revert to an approach like with the webpack runtime?
Reproduction
unneeded, see source.
Used Package Manager
pnpm
System Info
System: OS: macOS 15.0.1 CPU: (12) arm64 Apple M3 Pro Memory: 39.31 MB / 36.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 20.17.0 - ~/.nvm/versions/node/v20.17.0/bin/node npm: 10.8.2 - ~/.nvm/versions/node/v20.17.0/bin/npm pnpm: 9.12.2 - ~/Library/pnpm/pnpm Browsers: Chrome: 129.0.6668.103 Edge: 130.0.2849.46 Safari: 18.0.1Validations