You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
eatlakson
changed the title
[Bug]: ModuleFederation: Unable to required trusted types via CSP
[Bug]: ModuleFederation: Unable to require trusted types via CSP
Jun 7, 2024
In addition to adding support for trusted types, what would also be fantastic, is if the TT policy of the host could be shared with the remotes. (We actually have a custom plugin for webpack that does this by re-writing the runtime module.init call to pass in RuntimeGlobals.createScriptUrl as a third argument, and then update the init body to assign that argument back to it's RuntimeGlobals.createScriptUrl). This way, the host doesn't have to continually update the CSP for all the unique remotes that are loaded.
It would be fantastic if this logic was natively supported.
ahabhgk
changed the title
[Bug]: ModuleFederation: Unable to require trusted types via CSP
[Feature]: ModuleFederation: Unable to require trusted types via CSP
Jun 14, 2024
thanks @zhoushaw.
That is certainly an approach which could be used to support trusted types, but as it stands today, it doesn't work, since the script hook is not invoked until after the script.src is assigned -- which throws an exception when assigning to a string when TT are required.
This approach also doesn't allow for a secure mechanism for sharing the trusted type policy between hosts and remotes. For an application with many remotes, each one would need to have their own policy explicitly set in the CSP header of the host (assuming allow-duplicates is not set). Ideally, this wouldn't be necessary.
System Info
System:
OS: Windows 11 10.0.22631
CPU: (40) x64 Intel(R) Xeon(R) Silver 4210R CPU @ 2.40GHz
Memory: 34.83 GB / 63.66 GB
Binaries:
Node: 20.11.0 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.22 - C:\Program Files\nodejs\yarn.CMD
npm: 10.2.4 - C:\Program Files\nodejs\npm.CMD
pnpm: 8.15.6 - C:\Program Files\nodejs\pnpm.CMD
Browsers:
Edge: Chromium (125.0.2535.85)
Internet Explorer: 11.0.22621.3527
Details
Rspack + Module Federation cannot load script files when Trusted Types are enabled via CSP.
Reproduce link
https://github.com/eatlakson/rspack_mf_tt
Reproduce Steps
yarn
yarn build
yarn start
http://localhost/
This document requires 'TrustedScript' assignment
error in console.The text was updated successfully, but these errors were encountered: