Skip to content

Next.js use of globalThis causes CSP false positives without unsafe-eval #3772

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
5 tasks done
mitchellrj opened this issue May 13, 2025 · 1 comment
Open
5 tasks done

Next.js use of globalThis causes CSP false positives without unsafe-eval #3772

mitchellrj opened this issue May 13, 2025 · 1 comment

Comments

@mitchellrj
Copy link

Describe the bug

The solution to #3067 (#2015 ) first tries the approach that would be blocked by CSP, then falls back to an approach that is not blocked.

This causes a large number of false positive CSP reports to be generated, even when there is no threat and no impact to functionality.

Could the solution not try the safer version first, then the unsafe version if that fails? Or repurpose / adopt the work done in #3179 ?

Reproduction

N/A

Used Package Manager

npm

System Info

N/A

Validations
@ScriptedAlchemy
Copy link
Member

Send a PR and we can release a canary to try - next rewrites global references to webpack_require.g which causes problems - so usually i need a solution that the parser cannot see and change.

mitchellrj added a commit to mitchellrj/module-federation-core that referenced this issue May 15, 2025
@mitchellrj
fix(nextjs-mf): try CSP-safe method for getting globalThis first (m…
69a2bbe 
…odule-federation#3772)
@mitchellrj mitchellrj mentioned this issue May 15, 2025
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mitchellrj @ScriptedAlchemy