Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: ModuleFederation: Unable to require trusted types via CSP #6759

Closed
eatlakson opened this issue Jun 7, 2024 · 9 comments
Closed

[Feature]: ModuleFederation: Unable to require trusted types via CSP #6759

eatlakson opened this issue Jun 7, 2024 · 9 comments
Assignees
@ahabhgk
Labels
A-module-federation Area:module federation feat New feature or request stale

Comments

@eatlakson
Copy link

System Info

System:
OS: Windows 11 10.0.22631
CPU: (40) x64 Intel(R) Xeon(R) Silver 4210R CPU @ 2.40GHz
Memory: 34.83 GB / 63.66 GB
Binaries:
Node: 20.11.0 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.22 - C:\Program Files\nodejs\yarn.CMD
npm: 10.2.4 - C:\Program Files\nodejs\npm.CMD
pnpm: 8.15.6 - C:\Program Files\nodejs\pnpm.CMD
Browsers:
Edge: Chromium (125.0.2535.85)
Internet Explorer: 11.0.22621.3527

Details

Rspack + Module Federation cannot load script files when Trusted Types are enabled via CSP.

Reproduce link

https://github.com/eatlakson/rspack_mf_tt

Reproduce Steps

  1. install dependencies: yarn
  2. build the packages: yarn build
  3. start the server: yarn start
  4. navigate to http://localhost/
  5. app is unable to load due to This document requires 'TrustedScript' assignment error in console.
@eatlakson eatlakson added bug Something isn't working pending triage The issue/PR is currently untouched. labels Jun 7, 2024
@eatlakson eatlakson changed the title [Bug]: ModuleFederation: Unable to required trusted types via CSP [Bug]: ModuleFederation: Unable to require trusted types via CSP Jun 7, 2024
@eatlakson
Copy link
Author

In addition to adding support for trusted types, what would also be fantastic, is if the TT policy of the host could be shared with the remotes. (We actually have a custom plugin for webpack that does this by re-writing the runtime module.init call to pass in RuntimeGlobals.createScriptUrl as a third argument, and then update the init body to assign that argument back to it's RuntimeGlobals.createScriptUrl). This way, the host doesn't have to continually update the CSP for all the unique remotes that are loaded.
It would be fantastic if this logic was natively supported.

image
image

@jerrykingxyz jerrykingxyz removed the pending triage The issue/PR is currently untouched. label Jun 11, 2024
@ahabhgk ahabhgk changed the title [Bug]: ModuleFederation: Unable to require trusted types via CSP [Feature]: ModuleFederation: Unable to require trusted types via CSP Jun 14, 2024
@ahabhgk ahabhgk added feat New feature or request and removed bug Something isn't working labels Jun 14, 2024
@zhoushaw
Copy link
Member

@eatlakson It seems that your problem can be solved by the plugin mechanism https://module-federation.io/plugin/dev/index.html#createscript

@eatlakson
Copy link
Author

thanks @zhoushaw.
That is certainly an approach which could be used to support trusted types, but as it stands today, it doesn't work, since the script hook is not invoked until after the script.src is assigned -- which throws an exception when assigning to a string when TT are required.

This approach also doesn't allow for a secure mechanism for sharing the trusted type policy between hosts and remotes. For an application with many remotes, each one would need to have their own policy explicitly set in the CSP header of the host (assuming allow-duplicates is not set). Ideally, this wouldn't be necessary.

image

@ScriptedAlchemy
Copy link
Contributor

@eatlakson you can send a pr to our runtime

@eatlakson eatlakson mentioned this issue Sep 19, 2024
Merged
6 tasks
@stale Stale
Copy link

stale bot commented Oct 6, 2024

This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

@stale stale bot added the stale label Oct 6, 2024
@eatlakson
Copy link
Author

bump.

Step 1 is allowing the createScriptHook to set the script.src value as a trusted type policy object. PR submitted for this minor change.

@SoonIter SoonIter added the A-module-federation Area:module federation label Oct 8, 2024
@ScriptedAlchemy
Copy link
Contributor

I added comment on your pr to my repo.

@stale stale bot removed the stale label Oct 8, 2024
@stale Stale
Copy link

stale bot commented Dec 7, 2024

This issue has been automatically marked as stale because it has not had recent activity. If this issue is still affecting you, please leave any comment (for example, "bump"). We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

@stale stale bot added the stale label Dec 7, 2024
@ScriptedAlchemy
Copy link
Contributor

should be resolved, changed order of when script src is added to element. allowing hook to work correctly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ahabhgk ahabhgk

Labels
A-module-federation Area:module federation feat New feature or request stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@eatlakson @jerrykingxyz @ScriptedAlchemy @zhoushaw @ahabhgk @SoonIter