-
-
Notifications
You must be signed in to change notification settings - Fork 226
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content Security Policy unsafe-eval
violation in runtime
#3103
Comments
danhorvath
changed the title
Content Security Policy blocking
Content Security Policy Oct 22, 2024
unsafe-eval
violation in runtime
danhorvath
pushed a commit
to danhorvath/module-federation-core
that referenced
this issue
Oct 23, 2024
The workaround to getting globalThis via evaluating "return this" gets blocked by commonly used CSPs and running it can results in an increased number of CSP violations being tracked. fix module-federation#3103
danhorvath
pushed a commit
to danhorvath/module-federation-core
that referenced
this issue
Oct 23, 2024
The workaround to getting globalThis via evaluating "return this" gets blocked by commonly used CSPs and running it can results in an increased number of CSP violations being tracked. fix module-federation#3103
danhorvath
pushed a commit
to danhorvath/module-federation-core
that referenced
this issue
Oct 23, 2024
The workaround to getting globalThis via evaluating "return this" gets blocked by commonly used CSPs and running it can results in an increased number of CSP violations being tracked. fix module-federation#3103
danhorvath
pushed a commit
to danhorvath/module-federation-core
that referenced
this issue
Oct 23, 2024
The workaround to getting globalThis via evaluating "return this" gets blocked by commonly used CSPs and running it can results in an increased number of CSP violations being tracked. fix module-federation#3103
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Our setup uses rsbuild & the rspack module-federation plugin. It seems a line in the module federation runtime violates the
unsafe-eval
content security policy, and then swallows the exception. This results in spamming our tracking with millions of CSP violation reports, making it impossible to identify real malicious attempts. This issue is similar to #3053 and #2759, but on a different file/line.The following code is causing this issue:
core/packages/runtime/src/global.ts
Lines 29 to 35 in 3ac3fc8
We previously had a webpack setup which used similar code to the one below, and so it never ran
new Function('return this')()
:core/packages/webpack-bundler-runtime/src/container.ts
Lines 199 to 206 in 3ac3fc8
Would it be possible to revert to an approach like with the webpack runtime?
Reproduction
unneeded, see source.
Used Package Manager
pnpm
System Info
Validations
The text was updated successfully, but these errors were encountered: