Content Security Policy unsafe-eval violation in runtime

[danhorvath]

Describe the bug

Our setup uses rsbuild & the rspack module-federation plugin. It seems a line in the module federation runtime violates the unsafe-eval content security policy, and then swallows the exception. This results in spamming our tracking with millions of CSP violation reports, making it impossible to identify real malicious attempts. This issue is similar to #3053 and #2759, but on a different file/line.

The following code is causing this issue:

core/packages/runtime/src/global.ts

Lines 29 to 35 in 3ac3fc8

	export const nativeGlobal: typeof global = (() => {
	try {
	return new Function('return this')();
	} catch {
	return globalThis;
	}
	})() as typeof global;

We previously had a webpack setup which used similar code to the one below, and so it never ran new Function('return this')():

core/packages/webpack-bundler-runtime/src/container.ts

Lines 199 to 206 in 3ac3fc8

	__webpack_require__.g = (() => {
	if (typeof globalThis === 'object') return globalThis;
	try {
	return this || new Function('return this')();
	} catch (e) {
	if (typeof window === 'object') return window;
	}
	})();

Would it be possible to revert to an approach like with the webpack runtime?

Reproduction

unneeded, see source.

Used Package Manager

pnpm

System Info

System:
    OS: macOS 15.0.1
    CPU: (12) arm64 Apple M3 Pro
    Memory: 39.31 MB / 36.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.17.0 - ~/.nvm/versions/node/v20.17.0/bin/node
    npm: 10.8.2 - ~/.nvm/versions/node/v20.17.0/bin/npm
    pnpm: 9.12.2 - ~/Library/pnpm/pnpm
  Browsers:
    Chrome: 129.0.6668.103
    Edge: 130.0.2849.46
    Safari: 18.0.1

Validations

• Read the docs.
• Read the common issues list.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Make sure this is a Module federation issue and not a framework-specific issue.
• The provided reproduction is a minimal reproducible example of the bug.