module-federation
Nextjs plugin doesn't work unless the "unsafe-eval" CSP header is set
Describe the bug
The Nextjs plugin doesn't work if the "unsafe-eval" CSP header is not defined, which means the host apps are forced to use unsecure CSP settings or else they won't load.
Due to similar issues being raised in the past and fixed, I believe there is intention to support secure CSP headers in this project.
Some research
When running the app, this is the line that makes the script fail due to "unsafe-eval" not being present:
Seems to be related to this line executing: https://github.com/module-federation/core/blob/e38e48d1a5e0a7d22eb46843b0763469f3572a98/packages/nextjs-mf/src/plugins/container/runtimePlugin.ts#L72
Reproduction
https://github.com/fcano-ut/module-federation-reproduction-example-2497/pull/1
Used Package Manager
pnpm
System Info
System:
OS: macOS 14.5
CPU: (16) arm64 Apple M3 Max
Memory: 6.81 GB / 64.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 20.13.1 - ~/.nodenv/versions/20.13.1/bin/node
Yarn: 1.22.22 - ~/.nodenv/versions/20.13.1/bin/yarn
npm: 10.5.2 - ~/.nodenv/versions/20.13.1/bin/npm
Browsers:
Chrome: 126.0.6478.127
Firefox: 128.0
Safari: 17.5
Validations
- [X] Read the docs.
- [X] Read the common issues list.
- [X] Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
- [X] Make sure this is a Module federation issue and not a framework-specific issue.
- [X] The provided reproduction is a minimal reproducible example of the bug.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
If anyone is interested in a workaround, we were able to bypass this issue by using patch-package to update code in runtimePlugin.js
From this:
const gs = new Function('return globalThis')();
to this:
let gs;
try{
gs = new Function('return globalThis')();
} catch(e) {
gs = window;
}
