Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: ModuleFederation: Unable to require trusted types via CSP #6759

Open
eatlakson opened this issue Jun 7, 2024 · 3 comments
Open

[Feature]: ModuleFederation: Unable to require trusted types via CSP #6759

eatlakson opened this issue Jun 7, 2024 · 3 comments
Assignees
@ahabhgk
Labels
feat New feature or request

Comments

@eatlakson
Copy link

System Info

System:
OS: Windows 11 10.0.22631
CPU: (40) x64 Intel(R) Xeon(R) Silver 4210R CPU @ 2.40GHz
Memory: 34.83 GB / 63.66 GB
Binaries:
Node: 20.11.0 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.22 - C:\Program Files\nodejs\yarn.CMD
npm: 10.2.4 - C:\Program Files\nodejs\npm.CMD
pnpm: 8.15.6 - C:\Program Files\nodejs\pnpm.CMD
Browsers:
Edge: Chromium (125.0.2535.85)
Internet Explorer: 11.0.22621.3527

Details

Rspack + Module Federation cannot load script files when Trusted Types are enabled via CSP.

Reproduce link

https://github.com/eatlakson/rspack_mf_tt

Reproduce Steps

  1. install dependencies: yarn
  2. build the packages: yarn build
  3. start the server: yarn start
  4. navigate to http://localhost/
  5. app is unable to load due to This document requires 'TrustedScript' assignment error in console.
@eatlakson eatlakson added bug Something isn't working pending triage The issue/PR is currently untouched. labels Jun 7, 2024
@eatlakson eatlakson changed the title [Bug]: ModuleFederation: Unable to required trusted types via CSP [Bug]: ModuleFederation: Unable to require trusted types via CSP Jun 7, 2024
@eatlakson
Copy link
Author

In addition to adding support for trusted types, what would also be fantastic, is if the TT policy of the host could be shared with the remotes. (We actually have a custom plugin for webpack that does this by re-writing the runtime module.init call to pass in RuntimeGlobals.createScriptUrl as a third argument, and then update the init body to assign that argument back to it's RuntimeGlobals.createScriptUrl). This way, the host doesn't have to continually update the CSP for all the unique remotes that are loaded.
It would be fantastic if this logic was natively supported.

image
image

@jerrykingxyz jerrykingxyz removed the pending triage The issue/PR is currently untouched. label Jun 11, 2024
@ahabhgk ahabhgk changed the title [Bug]: ModuleFederation: Unable to require trusted types via CSP [Feature]: ModuleFederation: Unable to require trusted types via CSP Jun 14, 2024
@ahabhgk ahabhgk added feat New feature or request and removed bug Something isn't working labels Jun 14, 2024
@zhoushaw
Copy link
Member

@eatlakson It seems that your problem can be solved by the plugin mechanism https://module-federation.io/plugin/dev/index.html#createscript

@eatlakson
Copy link
Author

thanks @zhoushaw.
That is certainly an approach which could be used to support trusted types, but as it stands today, it doesn't work, since the script hook is not invoked until after the script.src is assigned -- which throws an exception when assigning to a string when TT are required.

This approach also doesn't allow for a secure mechanism for sharing the trusted type policy between hosts and remotes. For an application with many remotes, each one would need to have their own policy explicitly set in the CSP header of the host (assuming allow-duplicates is not set). Ideally, this wouldn't be necessary.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ahabhgk ahabhgk

Labels
feat New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@eatlakson @jerrykingxyz @zhoushaw @ahabhgk